Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5D58FD380 for ; Wed, 5 Sep 2012 11:08:40 +0000 (UTC) Received: (qmail 16414 invoked by uid 500); 5 Sep 2012 11:08:39 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 16143 invoked by uid 500); 5 Sep 2012 11:08:39 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 16095 invoked by uid 99); 5 Sep 2012 11:08:37 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Sep 2012 11:08:37 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of benlaurie@gmail.com designates 209.85.220.173 as permitted sender) Received: from [209.85.220.173] (HELO mail-vc0-f173.google.com) (209.85.220.173) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Sep 2012 11:08:32 +0000 Received: by vcbfl10 with SMTP id fl10so771081vcb.18 for ; Wed, 05 Sep 2012 04:08:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=UN8+PjvaCmp7ElvfoVg8V3hv9v3e9lXTMWYleCIhYk8=; b=k0BJC5r8JRyjl1RYZKXedEm6rmsUsg9ZbblE/ro1s7FkuscolReJrTFPg3qz5akbCP Ik+W1qAG4xHblRwIfnrOonVJRLG+WnyKyq38E/sbSiNb1nPNgU6aKu8q6UoGXg1jgUm2 /1GUb5uuF6ZUErt1UYhYvhx3JjiguzbcCgJ77ipjCsA/nQPpmRbPwUfjIag3UY887FRT /TLB5NR97Vyy9W0qHGa4HKJTas9AmjTd20sx7+jY0/vdQsHFzMqrgnb3Mn9xMzscpOTb i/DrruN8GUtuPySqbTJTzQIRceSF236Hz7spHjdur13eTe6Aj5wdxnNPsdY/SyTHpFjB pX+A== MIME-Version: 1.0 Received: by 10.52.67.144 with SMTP id n16mr10928438vdt.13.1346843292238; Wed, 05 Sep 2012 04:08:12 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.58.79.243 with HTTP; Wed, 5 Sep 2012 04:08:12 -0700 (PDT) In-Reply-To: <805F5E25-B275-408B-851C-8F42205A31D3@jaguNET.com> References: <201208312014.57302.sf@sfritsch.de> <1568310F-EA79-479B-9F69-1AEB22C04223@jaguNET.com> <805F5E25-B275-408B-851C-8F42205A31D3@jaguNET.com> Date: Wed, 5 Sep 2012 12:08:12 +0100 X-Google-Sender-Auth: VZOGsxAWtqSCZ8LasN5uJRAKoZs Message-ID: Subject: Re: how to avoid balancer manager nonce? From: Ben Laurie To: dev@httpd.apache.org Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org On Wed, Sep 5, 2012 at 11:57 AM, Jim Jagielski wrote: > FWIW, I have time this week to impl this... > > Feedback/Concerns? I still want to know what the "nonce" is actually for! Are you going to make me read the code and guess? > > On Sep 1, 2012, at 11:47 AM, Jim Jagielski wrote: > >> Another alternative would be to have the nonce also possibly >> set at config-time and, if unset, then use the uuid. That way >> it could also be used as a sort of shared-secret ;) >> >> ProxySet nonce="applepie!" >> >> Longer term, I think that's a more "strategic" solution. >> >> On Aug 31, 2012, at 2:14 PM, Stefan Fritsch wrote: >> >>> On Friday 31 August 2012, Eric Covener wrote: >>>> I'm fighting a problem on new releases of AIX where in some >>>> environments, /dev/random seems to run out of entropy way too >>>> quick. >>>> >>>> I'd like a way to suppress the apr_uuid_get-> >>>> apr_generate_random_bytes() in mod_proxy_balancer used for the >>>> balancer-manager nonce in affected environments. >>>> >>>> I was thinking a global "BalancerManager off" could be used for >>>> this and would also have the upside of fixing the SetHandler >>>> htaccess problem. >>>> >>>> Alternatives would be to find a weaker source for the nonce, or >>>> allow tto opt out / use a hard-coded one. >>>> >>>> Any suggestions? >>> >>> For 2.4, you could use ap_random_insecure_bytes(). It should be good >>> enough for a nonce. >>> >>> If you add a "BalancerManager off", it should be per directory, or at >>> least per vhost. Otherwise it would not help that much with the >>> SetHandler htaccess problem. >>> >> >