mod_lua and subprocess_env

classic Classic list List threaded Threaded
70 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

mod_lua and subprocess_env

Andrei Ivanov
Hi,
I'm trying to create a lua authorization script but I can't seem to access the request environment:

require 'apache2'

function authz_check_remote_ip_in_client_san(r)
        r:err("remote_ip_in_client_san running...");
        r:alert("uri: " .. r.uri);
        r:alert("useragent_ip: " .. r.useragent_ip);
        local ip = r.subprocess_env["REMOTE_ADDRESS"];
        r:crit("REMOTE_ADDRESS: " .. (ip or "N/A"));
        r:emerg("SSL_CLIENT_SAN_IPaddr: " .. (r.subprocess_env["SSL_CLIENT_SAN_IPaddr"] or "N/A"));

        return apache2.AUTHZ_GRANTED
end

The logs show entries like this for the values accessed from r.subprocess_env:
REMOTE_ADDRESS: N/A
SSL_CLIENT_SAN_IPaddr: N/A


LuaScope thread
LuaAuthzProvider remote_ip_in_client_san /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua authz_check_remote_ip_in_client_san
<Location />
    Require remote_ip_in_client_san

    # these don't seem to work so I'm trying to implement them in a LUA script
    #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
    #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
</Location>

What am I doing wrong?

Thank you in advance.
Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Daniel Gruno-2
On 02/14/2017 12:38 PM, Andrei Ivanov wrote:

> Hi,
> I'm trying to create a lua authorization script but I can't seem to
> access the request environment:
>
> require 'apache2'
>
> function authz_check_remote_ip_in_client_san(r)
>         r:err("remote_ip_in_client_san running...");
>         r:alert("uri: " .. r.uri);
>         r:alert("useragent_ip: " .. r.useragent_ip);
>         local ip = r.subprocess_env["REMOTE_ADDRESS"];
>         r:crit("REMOTE_ADDRESS: " .. (ip or "N/A"));
>         r:emerg("SSL_CLIENT_SAN_IPaddr: " ..
> (r.subprocess_env["SSL_CLIENT_SAN_IPaddr"] or "N/A"));


use r:ssl_var_lookup("SSL_CLIENT_SAN_IPaddr") instead.
r:ssl_var_lookup does the special SSL vars.

With regards,
Daniel.

>
>         return apache2.AUTHZ_GRANTED
> end
>
> The logs show entries like this for the values accessed from
> r.subprocess_env:
> REMOTE_ADDRESS: N/A
> SSL_CLIENT_SAN_IPaddr: N/A
>
>
> LuaScope thread
> LuaAuthzProvider remote_ip_in_client_san
> /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
> authz_check_remote_ip_in_client_san
> <Location />
>     Require remote_ip_in_client_san
>
>     # these don't seem to work so I'm trying to implement them in a LUA
> script
>     #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
>     #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> </Location>
>
> What am I doing wrong?
>
> Thank you in advance.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Andrei Ivanov
On Tue, Feb 14, 2017 at 1:59 PM, Daniel Gruno <[hidden email]> wrote:
On 02/14/2017 12:38 PM, Andrei Ivanov wrote:
> Hi,
> I'm trying to create a lua authorization script but I can't seem to
> access the request environment:
>
> require 'apache2'
>
> function authz_check_remote_ip_in_client_san(r)
>         r:err("remote_ip_in_client_san running...");
>         r:alert("uri: " .. r.uri);
>         r:alert("useragent_ip: " .. r.useragent_ip);
>         local ip = r.subprocess_env["REMOTE_ADDRESS"];
>         r:crit("REMOTE_ADDRESS: " .. (ip or "N/A"));
>         r:emerg("SSL_CLIENT_SAN_IPaddr: " ..
> (r.subprocess_env["SSL_CLIENT_SAN_IPaddr"] or "N/A"));


What about r.subprocess_env["REMOTE_ADDRESS"]? Shouldn't that work at least?
 
use r:ssl_var_lookup("SSL_CLIENT_SAN_IPaddr") instead.
r:ssl_var_lookup does the special SSL vars.

I don't get a nil now anymore, but I seem to get back an empty string :-(
SSL_CLIENT_SAN_IPaddr should be exposed by mod_nss, activated in this virtual host.
 

With regards,
Daniel.

>
>         return apache2.AUTHZ_GRANTED
> end
>
> The logs show entries like this for the values accessed from
> r.subprocess_env:
> REMOTE_ADDRESS: N/A
> SSL_CLIENT_SAN_IPaddr: N/A
>
>
> LuaScope thread
> LuaAuthzProvider remote_ip_in_client_san
> /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
> authz_check_remote_ip_in_client_san
> <Location />
>     Require remote_ip_in_client_san
>
>     # these don't seem to work so I'm trying to implement them in a LUA
> script
>     #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
>     #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> </Location>
>
> What am I doing wrong?
>
> Thank you in advance.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Daniel Gruno-2
On 02/14/2017 01:16 PM, Andrei Ivanov wrote:

> On Tue, Feb 14, 2017 at 1:59 PM, Daniel Gruno <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 02/14/2017 12:38 PM, Andrei Ivanov wrote:
>     > Hi,
>     > I'm trying to create a lua authorization script but I can't seem to
>     > access the request environment:
>     >
>     > require 'apache2'
>     >
>     > function authz_check_remote_ip_in_client_san(r)
>     >         r:err("remote_ip_in_client_san running...");
>     >         r:alert("uri: " .. r.uri);
>     >         r:alert("useragent_ip: " .. r.useragent_ip);
>     >         local ip = r.subprocess_env["REMOTE_ADDRESS"];
>     >         r:crit("REMOTE_ADDRESS: " .. (ip or "N/A"));
>     >         r:emerg("SSL_CLIENT_SAN_IPaddr: " ..
>     > (r.subprocess_env["SSL_CLIENT_SAN_IPaddr"] or "N/A"));
>
>
> What about r.subprocess_env["REMOTE_ADDRESS"]? Shouldn't that work at least?

Not exactly, this isn't CGI - the remote IP is exposed through
r.useragent_ip. Getting environment variables is tricky since the Lua VM
is sort of detached from the actual thread handling the request.

>  
>
>     use r:ssl_var_lookup("SSL_CLIENT_SAN_IPaddr") instead.
>     r:ssl_var_lookup does the special SSL vars.
>
>
> I don't get a nil now anymore, but I seem to get back an empty string :-(
> SSL_CLIENT_SAN_IPaddr should be exposed by mod_nss, activated in this
> virtual host.

If it's not exposed by mod_ssl, then it may not be available through
that call. You should try finding the corresponding mod_ssl variable if
possible.

>  
>
>
>     With regards,
>     Daniel.
>
>     >
>     >         return apache2.AUTHZ_GRANTED
>     > end
>     >
>     > The logs show entries like this for the values accessed from
>     > r.subprocess_env:
>     > REMOTE_ADDRESS: N/A
>     > SSL_CLIENT_SAN_IPaddr: N/A
>     >
>     >
>     > LuaScope thread
>     > LuaAuthzProvider remote_ip_in_client_san
>     > /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
>     > authz_check_remote_ip_in_client_san
>     > <Location />
>     >     Require remote_ip_in_client_san
>     >
>     >     # these don't seem to work so I'm trying to implement them in a LUA
>     > script
>     >     #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
>     >     #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
>     > </Location>
>     >
>     > What am I doing wrong?
>     >
>     > Thank you in advance.
>
>
>     ---------------------------------------------------------------------
>     To unsubscribe, e-mail: [hidden email]
>     <mailto:[hidden email]>
>     For additional commands, e-mail: [hidden email]
>     <mailto:[hidden email]>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Andrei Ivanov
On Tue, Feb 14, 2017 at 2:19 PM, Daniel Gruno <[hidden email]> wrote:
On 02/14/2017 01:16 PM, Andrei Ivanov wrote:
> On Tue, Feb 14, 2017 at 1:59 PM, Daniel Gruno <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 02/14/2017 12:38 PM, Andrei Ivanov wrote:
>     > Hi,
>     > I'm trying to create a lua authorization script but I can't seem to
>     > access the request environment:
>     >
>     > require 'apache2'
>     >
>     > function authz_check_remote_ip_in_client_san(r)
>     >         r:err("remote_ip_in_client_san running...");
>     >         r:alert("uri: " .. r.uri);
>     >         r:alert("useragent_ip: " .. r.useragent_ip);
>     >         local ip = r.subprocess_env["REMOTE_ADDRESS"];
>     >         r:crit("REMOTE_ADDRESS: " .. (ip or "N/A"));
>     >         r:emerg("SSL_CLIENT_SAN_IPaddr: " ..
>     > (r.subprocess_env["SSL_CLIENT_SAN_IPaddr"] or "N/A"));
>
>
> What about r.subprocess_env["REMOTE_ADDRESS"]? Shouldn't that work at least?

Not exactly, this isn't CGI - the remote IP is exposed through
r.useragent_ip. Getting environment variables is tricky since the Lua VM
is sort of detached from the actual thread handling the request.

I was using the REMOTE_ADDRESS since it was used as an example in a post :-)
http://lua-users.org/lists/lua-l/2010-07/msg00671.html
Is subprocess_env working at all?


>
>
>     use r:ssl_var_lookup("SSL_CLIENT_SAN_IPaddr") instead.
>     r:ssl_var_lookup does the special SSL vars.
>
>
> I don't get a nil now anymore, but I seem to get back an empty string :-(
> SSL_CLIENT_SAN_IPaddr should be exposed by mod_nss, activated in this
> virtual host.

If it's not exposed by mod_ssl, then it may not be available through
that call. You should try finding the corresponding mod_ssl variable if
possible.

I'm using mod_nss exactly because mod_ssl doesn't expose that variable and my issue that requests that is sitting ignored for 2 months now :-(
I was hoping this would help:
<Files ~ "\.(cgi|shtml|phtml|php3|lua?)$">
    NSSOptions +StdEnvVars
</Files>

 
>
>
>
>     With regards,
>     Daniel.
>
>     >
>     >         return apache2.AUTHZ_GRANTED
>     > end
>     >
>     > The logs show entries like this for the values accessed from
>     > r.subprocess_env:
>     > REMOTE_ADDRESS: N/A
>     > SSL_CLIENT_SAN_IPaddr: N/A
>     >
>     >
>     > LuaScope thread
>     > LuaAuthzProvider remote_ip_in_client_san
>     > /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
>     > authz_check_remote_ip_in_client_san
>     > <Location />
>     >     Require remote_ip_in_client_san
>     >
>     >     # these don't seem to work so I'm trying to implement them in a LUA
>     > script
>     >     #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
>     >     #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
>     > </Location>
>     >
>     > What am I doing wrong?
>     >
>     > Thank you in advance.
>
>
>     ---------------------------------------------------------------------
>     To unsubscribe, e-mail: [hidden email]
>     <mailto:[hidden email]>
>     For additional commands, e-mail: [hidden email]
>     <mailto:[hidden email]>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Daniel Gruno-2
On 02/14/2017 01:24 PM, Andrei Ivanov wrote:

> On Tue, Feb 14, 2017 at 2:19 PM, Daniel Gruno <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 02/14/2017 01:16 PM, Andrei Ivanov wrote:
>     > On Tue, Feb 14, 2017 at 1:59 PM, Daniel Gruno <[hidden email] <mailto:[hidden email]>
>     > <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >     On 02/14/2017 12:38 PM, Andrei Ivanov wrote:
>     >     > Hi,
>     >     > I'm trying to create a lua authorization script but I can't seem to
>     >     > access the request environment:
>     >     >
>     >     > require 'apache2'
>     >     >
>     >     > function authz_check_remote_ip_in_client_san(r)
>     >     >         r:err("remote_ip_in_client_san running...");
>     >     >         r:alert("uri: " .. r.uri);
>     >     >         r:alert("useragent_ip: " .. r.useragent_ip);
>     >     >         local ip = r.subprocess_env["REMOTE_ADDRESS"];
>     >     >         r:crit("REMOTE_ADDRESS: " .. (ip or "N/A"));
>     >     >         r:emerg("SSL_CLIENT_SAN_IPaddr: " ..
>     >     > (r.subprocess_env["SSL_CLIENT_SAN_IPaddr"] or "N/A"));
>     >
>     >
>     > What about r.subprocess_env["REMOTE_ADDRESS"]? Shouldn't that work at least?
>
>     Not exactly, this isn't CGI - the remote IP is exposed through
>     r.useragent_ip. Getting environment variables is tricky since the Lua VM
>     is sort of detached from the actual thread handling the request.
>
>
> I was using the REMOTE_ADDRESS since it was used as an example in a post :-)
> http://lua-users.org/lists/lua-l/2010-07/msg00671.html
> Is subprocess_env working at all?

Shortest answer I can think of is: Yes, but it doesn't do what you think
it does. it's not equivalent to os.getenv().

Perhaps later I'll elaborate on that...when I have my brain with me.

>
>
>     >
>     >
>     >     use r:ssl_var_lookup("SSL_CLIENT_SAN_IPaddr") instead.
>     >     r:ssl_var_lookup does the special SSL vars.
>     >
>     >
>     > I don't get a nil now anymore, but I seem to get back an empty string :-(
>     > SSL_CLIENT_SAN_IPaddr should be exposed by mod_nss, activated in this
>     > virtual host.
>
>     If it's not exposed by mod_ssl, then it may not be available through
>     that call. You should try finding the corresponding mod_ssl variable if
>     possible.
>
> I'm using mod_nss exactly because mod_ssl doesn't expose that variable
> and my issue that requests that is sitting ignored for 2 months now :-(
> I was hoping this would help:
> <Files ~ "\.(cgi|shtml|phtml|php3|lua?)$">
>     NSSOptions +StdEnvVars
> </Files>
>
>  
>
>     >
>     >
>     >
>     >     With regards,
>     >     Daniel.
>     >
>     >     >
>     >     >         return apache2.AUTHZ_GRANTED
>     >     > end
>     >     >
>     >     > The logs show entries like this for the values accessed from
>     >     > r.subprocess_env:
>     >     > REMOTE_ADDRESS: N/A
>     >     > SSL_CLIENT_SAN_IPaddr: N/A
>     >     >
>     >     >
>     >     > LuaScope thread
>     >     > LuaAuthzProvider remote_ip_in_client_san
>     >     > /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
>     >     > authz_check_remote_ip_in_client_san
>     >     > <Location />
>     >     >     Require remote_ip_in_client_san
>     >     >
>     >     >     # these don't seem to work so I'm trying to implement them in a LUA
>     >     > script
>     >     >     #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
>     >     >     #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
>     >     > </Location>
>     >     >
>     >     > What am I doing wrong?
>     >     >
>     >     > Thank you in advance.
>     >
>     >
>     >     ---------------------------------------------------------------------
>     >     To unsubscribe, e-mail: [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     For additional commands, e-mail: [hidden email] <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >
>     >
>
>
>     ---------------------------------------------------------------------
>     To unsubscribe, e-mail: [hidden email]
>     <mailto:[hidden email]>
>     For additional commands, e-mail: [hidden email]
>     <mailto:[hidden email]>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Yann Ylavic
In reply to this post by Andrei Ivanov
On Tue, Feb 14, 2017 at 1:24 PM, Andrei Ivanov <[hidden email]> wrote:
>
> I'm using mod_nss exactly because mod_ssl doesn't expose that variable and
> my issue that requests that is sitting ignored for 2 months now :-(

Did you try something with SSLRequire or a <if> expression like
"'<myip>' -in PeerExtList('2.5.29.17')" ?

I never tested it, but since '2.5.29.17' is the OID for the
certificate's SAN, and PeerExtList() may return the list of the inner
strings, it could possibly work...


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Andrei Ivanov


On Thu, Feb 16, 2017 at 2:49 PM, Yann Ylavic <[hidden email]> wrote:
On Tue, Feb 14, 2017 at 1:24 PM, Andrei Ivanov <[hidden email]> wrote:
>
> I'm using mod_nss exactly because mod_ssl doesn't expose that variable and
> my issue that requests that is sitting ignored for 2 months now :-(

Did you try something with SSLRequire or a <if> expression like
"'<myip>' -in PeerExtList('2.5.29.17')" ?

I never tested it, but since '2.5.29.17' is the OID for the
certificate's SAN, and PeerExtList() may return the list of the inner
strings, it could possibly work...


I gave it a try, but seems to reach the same limitation of the expression engine :-(
NSSRequire %{REMOTE_ADDR} in PeerExtList('2.5.29.17')
or
Require expr "%{REMOTE_ADDR} in PeerExtList('2.5.29.17')"

AH00526: Syntax error on line 229 of /etc/httpd/conf.d/nss.conf:
Cannot parse expression in require line: syntax error, unexpected $end
 

Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Yann Ylavic
On Thu, Feb 16, 2017 at 2:46 PM, Andrei Ivanov <[hidden email]> wrote:
>
> I gave it a try, but seems to reach the same limitation of the expression
> engine :-(
> NSSRequire %{REMOTE_ADDR} in PeerExtList('2.5.29.17')
> or
> Require expr "%{REMOTE_ADDR} in PeerExtList('2.5.29.17')"
>
> AH00526: Syntax error on line 229 of /etc/httpd/conf.d/nss.conf:
> Cannot parse expression in require line: syntax error, unexpected $end

This (PeerExtList), for once, is a mod_ssl (and possibly not mod_nss?)
extension...


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Andrei Ivanov
On Thu, Feb 16, 2017 at 5:20 PM, Yann Ylavic <[hidden email]> wrote:
On Thu, Feb 16, 2017 at 2:46 PM, Andrei Ivanov <[hidden email]> wrote:
>
> I gave it a try, but seems to reach the same limitation of the expression
> engine :-(
> NSSRequire %{REMOTE_ADDR} in PeerExtList('2.5.29.17')
> or
> Require expr "%{REMOTE_ADDR} in PeerExtList('2.5.29.17')"
>
> AH00526: Syntax error on line 229 of /etc/httpd/conf.d/nss.conf:
> Cannot parse expression in require line: syntax error, unexpected $end

This (PeerExtList), for once, is a mod_ssl (and possibly not mod_nss?)
extension...

Hmm, indeed.

This one still doesn't work:
Require expr "%{REMOTE_ADDR} in PeerExtList('2.5.29.17')"
AH00526: Syntax error on line 145 of /etc/httpd/conf.d/ssl.conf:
Cannot parse expression in require line: syntax error, unexpected $end

But this one passes the configuration check:
SSLRequire %{REMOTE_ADDR} in PeerExtList('2.5.29.17')

The problem now is that I can't get it to pass when testing it with requests :-(
[Thu Feb 16 18:12:38.928842 2017] [ssl:info] [pid 29931] [client 159.107.78.128:60511] AH02266: Access to /var/www/html/index.php denied for 159.107.78.128 (requirement expression not fulfilled)
[Thu Feb 16 18:12:38.928961 2017] [ssl:info] [pid 29931] [client 159.107.78.128:60511] AH02228: Failed expression: %{REMOTE_ADDR} in PeerExtList('2.5.29.17')
[Thu Feb 16 18:12:38.928972 2017] [ssl:error] [pid 29931] [client 159.107.78.128:60511] AH02229: access to /var/www/html/index.php failed, reason: SSL requirement expression not fulfilled

The client certificate gets validated, but the expression fails.
Is there a way to debug this? To print the values from the expression in the logs maybe?
 

Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Eric Covener
On Thu, Feb 16, 2017 at 11:16 AM, Andrei Ivanov <[hidden email]> wrote:
> Is there a way to debug this? To print the values from the expression in the
> logs maybe?

One simple way to debug is to use the same [sub-]expressions in
mod_headers conditions or header values
--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Yann Ylavic
In reply to this post by Andrei Ivanov
On Thu, Feb 16, 2017 at 5:16 PM, Andrei Ivanov <[hidden email]> wrote:
>
> This one still doesn't work:
> Require expr "%{REMOTE_ADDR} in PeerExtList('2.5.29.17')"
> AH00526: Syntax error on line 145 of /etc/httpd/conf.d/ssl.conf:
> Cannot parse expression in require line: syntax error, unexpected $end

The expr operator is "-in" (with the dash),

>
> But this one passes the configuration check:
> SSLRequire %{REMOTE_ADDR} in PeerExtList('2.5.29.17')

and "in" (no dash) for SSLRequire.


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Andrei Ivanov
In reply to this post by Eric Covener
On Thu, Feb 16, 2017 at 9:26 PM, Eric Covener <[hidden email]> wrote:
On Thu, Feb 16, 2017 at 11:16 AM, Andrei Ivanov <[hidden email]> wrote:
> Is there a way to debug this? To print the values from the expression in the
> logs maybe?

One simple way to debug is to use the same [sub-]expressions in
mod_headers conditions or header values

Great idea, thanks :-)

Header set Client-IP "%{REMOTE_ADDR}e"
Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
Header set Client-DN "%{SSL_CLIENT_S_DN}s"

Client-IP: 159.107.78.110
Client-SAN: (null)
Client-DN: CN=client-with-subjectAltName-with-just-IPs-2

Unfortunately, I don't get the Client SAN :-(

Btw, this is with Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips
I was also trying the Header with expr=value, but then I noticed it's available in 2.4.10 and later.
 
--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Andrei Ivanov
On Fri, Feb 17, 2017 at 12:18 PM, Andrei Ivanov <[hidden email]> wrote:

On Thu, Feb 16, 2017 at 9:26 PM, Eric Covener <[hidden email]> wrote:
On Thu, Feb 16, 2017 at 11:16 AM, Andrei Ivanov <[hidden email]> wrote:
> Is there a way to debug this? To print the values from the expression in the
> logs maybe?

One simple way to debug is to use the same [sub-]expressions in
mod_headers conditions or header values

Great idea, thanks :-)

Header set Client-IP "%{REMOTE_ADDR}e"
Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
Header set Client-DN "%{SSL_CLIENT_S_DN}s"

Client-IP: 159.107.78.110
Client-SAN: (null)
Client-DN: CN=client-with-subjectAltName-with-just-IPs-2

Unfortunately, I don't get the Client SAN :-(

Btw, this is with Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips
I was also trying the Header with expr=value, but then I noticed it's available in 2.4.10 and later.

Can anybody understand why this doesn't work? :-(
Please help.
Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Andrei Ivanov
On Mon, Feb 20, 2017 at 11:31 AM, Andrei Ivanov <[hidden email]> wrote:
On Fri, Feb 17, 2017 at 12:18 PM, Andrei Ivanov <[hidden email]> wrote:

On Thu, Feb 16, 2017 at 9:26 PM, Eric Covener <[hidden email]> wrote:
On Thu, Feb 16, 2017 at 11:16 AM, Andrei Ivanov <[hidden email]> wrote:
> Is there a way to debug this? To print the values from the expression in the
> logs maybe?

One simple way to debug is to use the same [sub-]expressions in
mod_headers conditions or header values

Great idea, thanks :-)

Header set Client-IP "%{REMOTE_ADDR}e"
Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
Header set Client-DN "%{SSL_CLIENT_S_DN}s"

Client-IP: 159.107.78.110
Client-SAN: (null)
Client-DN: CN=client-with-subjectAltName-with-just-IPs-2

Unfortunately, I don't get the Client SAN :-(

Btw, this is with Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips
I was also trying the Header with expr=value, but then I noticed it's available in 2.4.10 and later.

Can anybody understand why this doesn't work? :-(
Please help.

Yan? Any thoughts please?

Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Yann Ylavic
On Tue, Feb 21, 2017 at 4:50 PM, Andrei Ivanov <[hidden email]> wrote:
>>>
>>> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"

The syntax may be rather:

Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"

Does it work better?

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Andrei Ivanov
On Tue, Feb 21, 2017 at 6:32 PM, Yann Ylavic <[hidden email]> wrote:
On Tue, Feb 21, 2017 at 4:50 PM, Andrei Ivanov <[hidden email]> wrote:
>>>
>>> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"

The syntax may be rather:

Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"

Does it work better?

Uf, no :-(
I've mentioned above, this is with Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips
I was also trying the Header with expr=value, but then I noticed it's available in 2.4.10 and later
 
Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Andrei Ivanov
On Tue, Feb 21, 2017 at 6:43 PM, Andrei Ivanov <[hidden email]> wrote:
On Tue, Feb 21, 2017 at 6:32 PM, Yann Ylavic <[hidden email]> wrote:
On Tue, Feb 21, 2017 at 4:50 PM, Andrei Ivanov <[hidden email]> wrote:
>>>
>>> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"

The syntax may be rather:

Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"

Does it work better?

Uf, no :-(
I've mentioned above, this is with Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips
I was also trying the Header with expr=value, but then I noticed it's available in 2.4.10 and later
 

Trying with the latest Apache/2.4.25 and switching to expression values:
- These work:
    Header set Client-IP "expr=%{REMOTE_ADDR}"
    Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"

- These do not work, even after I adapted the expression following the documentation,
   "Function calls use the %{funcname:arg} syntax rather than funcname(arg).":
  
   Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
   Can't parse value expression : Function 'PeerExtList' does not exist

What should I do?
At least the standard expressions ("%{PeerExtList('2.5.29.17')}s") had a modifier that indicated it's an SSL
expression and knew how to invoke it... even if it didn't work :-/
Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Yann Ylavic
In reply to this post by Andrei Ivanov
On Tue, Feb 21, 2017 at 5:43 PM, Andrei Ivanov <[hidden email]> wrote:

> On Tue, Feb 21, 2017 at 6:32 PM, Yann Ylavic <[hidden email]> wrote:
>>
>> On Tue, Feb 21, 2017 at 4:50 PM, Andrei Ivanov <[hidden email]>
>> wrote:
>> >>>
>> >>> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
>>
>> The syntax may be rather:
>>
>> Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>>
>> Does it work better?
>
>
> Uf, no :-(
I've got it to work in (in 2.4.25), with a patch (attached), and for
me it outputs:
    Client-SAN: DNS:www1.domain.tld, DNS:www2.domain.tld,
DNS:www3.domain.tld, IP Address:192.168.150.80, IP
Address:192.168.150.145, IP Address:172.25.25.100

So I guess something like:
    Require expr "('IP Address:' . %{REMOTE_ADDR}) -in PeerExtList('2.5.29.17')"
should work (at least with 2.4.5).


Regards,
Yann.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

ap_expr_eval_list-string.patch (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: mod_lua and subprocess_env

Yann Ylavic
On Wed, Feb 22, 2017 at 1:09 AM, Yann Ylavic <[hidden email]> wrote:

> On Tue, Feb 21, 2017 at 5:43 PM, Andrei Ivanov <[hidden email]> wrote:
>> On Tue, Feb 21, 2017 at 6:32 PM, Yann Ylavic <[hidden email]> wrote:
>>>
>>> On Tue, Feb 21, 2017 at 4:50 PM, Andrei Ivanov <[hidden email]>
>>> wrote:
>>> >>>
>>> >>> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
>>>
>>> The syntax may be rather:
>>>
>>> Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>>>
>>> Does it work better?
>>
>>
>> Uf, no :-(
>
> I've got it to work in (in 2.4.25), with a patch (attached), and for
> me it outputs:
>     Client-SAN: DNS:www1.domain.tld, DNS:www2.domain.tld,
> DNS:www3.domain.tld, IP Address:192.168.150.80, IP
> Address:192.168.150.145, IP Address:172.25.25.100
>
> So I guess something like:
>     Require expr "('IP Address:' . %{REMOTE_ADDR}) -in PeerExtList('2.5.29.17')"
> should work (at least with 2.4.5).

I meant 2.4.25 here...

>
>
> Regards,
> Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

1234