Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 67A16D2FA for ; Wed, 5 Sep 2012 10:58:27 +0000 (UTC) Received: (qmail 88708 invoked by uid 500); 5 Sep 2012 10:58:26 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 88147 invoked by uid 500); 5 Sep 2012 10:58:21 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 88105 invoked by uid 99); 5 Sep 2012 10:58:20 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Sep 2012 10:58:20 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: 76.96.62.24 is neither permitted nor denied by domain of jim@jagunet.com) Received: from [76.96.62.24] (HELO qmta02.westchester.pa.mail.comcast.net) (76.96.62.24) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Sep 2012 10:58:12 +0000 Received: from omta17.westchester.pa.mail.comcast.net ([76.96.62.89]) by qmta02.westchester.pa.mail.comcast.net with comcast id vNZg1j0061vXlb851Nxwf5; Wed, 05 Sep 2012 10:57:56 +0000 Received: from [192.168.199.10] ([69.251.80.74]) by omta17.westchester.pa.mail.comcast.net with comcast id vNxx1j00i1cCKD93dNxyMb; Wed, 05 Sep 2012 10:57:58 +0000 Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) Subject: Re: how to avoid balancer manager nonce? From: Jim Jagielski In-Reply-To: <1568310F-EA79-479B-9F69-1AEB22C04223@jaguNET.com> Date: Wed, 5 Sep 2012 06:57:51 -0400 Content-Transfer-Encoding: 7bit Message-Id: <805F5E25-B275-408B-851C-8F42205A31D3@jaguNET.com> References: <201208312014.57302.sf@sfritsch.de> <1568310F-EA79-479B-9F69-1AEB22C04223@jaguNET.com> To: dev@httpd.apache.org X-Mailer: Apple Mail (2.1486) FWIW, I have time this week to impl this... Feedback/Concerns? On Sep 1, 2012, at 11:47 AM, Jim Jagielski wrote: > Another alternative would be to have the nonce also possibly > set at config-time and, if unset, then use the uuid. That way > it could also be used as a sort of shared-secret ;) > > ProxySet nonce="applepie!" > > Longer term, I think that's a more "strategic" solution. > > On Aug 31, 2012, at 2:14 PM, Stefan Fritsch wrote: > >> On Friday 31 August 2012, Eric Covener wrote: >>> I'm fighting a problem on new releases of AIX where in some >>> environments, /dev/random seems to run out of entropy way too >>> quick. >>> >>> I'd like a way to suppress the apr_uuid_get-> >>> apr_generate_random_bytes() in mod_proxy_balancer used for the >>> balancer-manager nonce in affected environments. >>> >>> I was thinking a global "BalancerManager off" could be used for >>> this and would also have the upside of fixing the SetHandler >>> htaccess problem. >>> >>> Alternatives would be to find a weaker source for the nonce, or >>> allow tto opt out / use a hard-coded one. >>> >>> Any suggestions? >> >> For 2.4, you could use ap_random_insecure_bytes(). It should be good >> enough for a nonce. >> >> If you add a "BalancerManager off", it should be per directory, or at >> least per vhost. Otherwise it would not help that much with the >> SetHandler htaccess problem. >> >