Return-Path: <dev-return-89137-archive-asf-public=cust-asf.ponee.io@httpd.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id F31AC200C55
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 30 Mar 2017 03:04:29 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id F1801160B95; Thu, 30 Mar 2017 01:04:29 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 43EA7160B8A
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 30 Mar 2017 03:04:29 +0200 (CEST)
Received: (qmail 13896 invoked by uid 500); 30 Mar 2017 01:04:23 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 13883 invoked by uid 99); 30 Mar 2017 01:04:23 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Mar 2017 01:04:23 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id C22D6C68B1
	for <dev@httpd.apache.org>; Thu, 30 Mar 2017 01:04:22 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level: 
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=6.31
	tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id SZ8RVOzzS4Zp for <dev@httpd.apache.org>;
	Thu, 30 Mar 2017 01:04:21 +0000 (UTC)
Received: from mail.redfish-solutions.com (mail.redfish-solutions.com [66.232.79.143])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id C5B9B5F2FE
	for <dev@httpd.apache.org>; Thu, 30 Mar 2017 01:04:20 +0000 (UTC)
Received: from macmini.redfish-solutions.com (macmini.redfish-solutions.com [192.168.1.38])
	(authenticated bits=0)
	by mail.redfish-solutions.com (8.15.2/8.15.2) with ESMTPSA id v2U14Cie012735
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
	for <dev@httpd.apache.org>; Wed, 29 Mar 2017 19:04:12 -0600
From: Philip Prindeville <philipp_subx@redfish-solutions.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Subject: Fwd: Quick 2.4 question
Message-Id: <B21C1E16-DDDD-4335-920B-6AF93C573763@redfish-solutions.com>
References: <968F290E-5A06-4373-B62D-C84546CEEF7F@redfish-solutions.com>
To: dev@httpd.apache.org
Date: Wed, 29 Mar 2017 19:04:18 -0600
X-Mailer: Apple Mail (2.3259)
X-Scanned-By: MIMEDefang 2.79 on 192.168.1.3
archived-at: Thu, 30 Mar 2017 01:04:30 -0000

We weren=E2=80=99t able to figure out the way to do this, and we=E2=80=99r=
e both wondering if this isn=E2=80=99t a bug.

If you can say:

<Location />
    Require env is_local_client
</Location>

to allow access contingent on the presence of a flag, it should also be =
possible to do the inverse: allow access contingent on the absence of a =
flag:

<Location />
    Require not env is_a_bogon
</Location>

Where is_a_bogon gets set via:

LoadModule setenvif_module modules/mod_setenvif.so

BrowserMatch =E2=80=9C^$=E2=80=9D is_a_bogon
BrowserMatch =E2=80=9C^ZmEu$=E2=80=9D is_a_bogon
BrowserMatch =E2=80=9C^Morfeus =E2=80=9C is_a_bogon
=E2=80=A6

<IfModule mod_geopi.c>
    SetEnvIf GEOIP_COUNTRY_CODE CN is_a_bogon
    SetEnvIf GEOIP_COUNTRY_CODE IR is_a_bogon
    SetEnvIf GEOIP_COUNTRY_CODE RU is_a_bogon
    SetEnvIf GEOIP_COUNTRY_CODE VN is_a_bogon
    =E2=80=A6
</IfModule>

etc.

So is_a_bogon only gets set if we=E2=80=99re seeing a User-Agent which =
is suspect, or if the traffic is originating from hacker havens.

But this doesn=E2=80=99t seem to be doable in any obvious way.

This looks a bit like BZ 53069.

For what it=E2=80=99s worth, though, I also tried:

<Location />
    <RequireAll>
        Require all granted
        Require not env is_a_bogon
    </RequireAll>
</Location>

but that results in:

--b4972c7d-A--
[29/Mar/2017:18:47:29 --0600] WNxVoSGJcKzTWLcEbdzNJgAAAAA 192.168.1.38 =
50909 192.168.1.3 443
--b4972c7d-B--
GET /downloads/powercodebmu-r3813-964ba7a-x86-xeon-combined-squashfs.img =
HTTP/1.1
User-Agent: Wget/1.14 (darwin12.3.0)
Accept: */*
Host: www.redfish-solutions.com
Connection: Keep-Alive

--b4972c7d-F--
HTTP/1.1 403 Forbidden
Content-Length: 276
Keep-Alive: timeout=3D5, max=3D100
Connection: Keep-Alive
Content-Type: text/html; charset=3Diso-8859-1

--b4972c7d-E--

--b4972c7d-H--
Apache-Error: [file "mod_authz_core.c"] [line 873] [level 3] AH01630: =
client denied by server configuration: %s%s
Stopwatch: 1490834849214254 1971 (- - -)
Stopwatch2: 1490834849214254 1971; combined=3D850, p1=3D725, p2=3D0, =
p3=3D1, p4=3D86, p5=3D38, sr=3D452, sw=3D0, l=3D0, gc=3D0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); =
OWASP_CRS/2.2.8.
Server: Apache/2.4.25 (Fedora) OpenSSL/1.0.2k-fips mod_nss/1.0.12 =
NSS/3.23 Basic ECC mod_perl/2.0.10 Perl/v5.22.3
Engine-Mode: "ENABLED"

--b4972c7d-Z=E2=80=94

so it=E2=80=99s not clear to me if there=E2=80=99s any way to achieve =
what I=E2=80=99m trying to do, or why the solution in BZ 53069 =
wouldn=E2=80=99t be applicable (by analogy) here.

More broadly on a philosophical level, looking at Comment 3 by Daniel =
Gruno:

https://bz.apache.org/bugzilla/show_bug.cgi?id=3D53069#c3

He writes:

=E2=80=9C[=E2=80=A6] I have made some changes to the access howto to =
emphasize that a negation cannot stand on its own.=E2=80=9D

Just out of curiosity, why can=E2=80=99t it stand on its own?

I don=E2=80=99t see anything intrinsically wrong about gating on the =
_absence_ of _negative factors_.

Can someone please set me straight?

Thanks,

-Philip



> Begin forwarded message:
>=20
> From: Philip Prindeville <philipp_subx@redfish-solutions.com>
> Subject: Quick 2.4 question
> Date: March 28, 2017 at 2:32:03 PM MDT
> To: "William A. Rowe Jr." <wrowe@rowe-clan.net>
>=20
> Hi William,
>=20
> Sorry to bother you with a triviality, but I=E2=80=99ve been wracking =
my brain with this one for a couple of hours now.
>=20
> I had an httpd-2.4 server that=E2=80=99s been humming for years, but =
recently (like 2 days ago following a Fedora 24 update) it started =
balking at ALL requests.
>=20
> Yes, I had been using Allow/Deny and mod_access_compat=E2=80=A6  =
I=E2=80=99ll turn that off momentarily.
>=20
> The culprit (and it took me a long time to find it!) was:
>=20
> <Location />
>    Deny from env=3Dis_a_bogon
> </Location>
>=20
> which I tried to rewrite as:
>=20
> <Location />
>    Require not env is_a_bogon
> </Location>
>=20
> but that complains about:
>=20
> Mar 28 14:04:49 mail httpd[2964]: AH00526: Syntax error on line 81 of =
/etc/httpd/conf.d/mod_setenvif.conf:
> Mar 28 14:04:49 mail httpd[2964]: negative Require directive has no =
effect in <RequireAny> directive
>=20
> I=E2=80=99ve also tried:
>=20
>    Require env !is_a_bogon
>=20
> but that gets me a syntax error.
>=20
> I looked at the 2.4 mod_setenvif pages but unfortunately it doesn=E2=80=99=
t go into a lot of detail of how to tie the tests together in with the =
actual Require directives.
>=20
> Can you set me straight here?
>=20
> Thanks,
>=20
> -Philip
>=20