Return-Path: Delivered-To: apmail-httpd-modules-dev-archive@minotaur.apache.org Received: (qmail 69520 invoked from network); 26 Sep 2009 10:04:17 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 26 Sep 2009 10:04:17 -0000 Received: (qmail 30813 invoked by uid 500); 26 Sep 2009 10:04:16 -0000 Delivered-To: apmail-httpd-modules-dev-archive@httpd.apache.org Received: (qmail 30729 invoked by uid 500); 26 Sep 2009 10:04:15 -0000 Mailing-List: contact modules-dev-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: modules-dev@httpd.apache.org Delivered-To: mailing list modules-dev@httpd.apache.org Received: (qmail 30719 invoked by uid 99); 26 Sep 2009 10:04:15 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 26 Sep 2009 10:04:15 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of ivan.ristic@gmail.com designates 209.85.219.211 as permitted sender) Received: from [209.85.219.211] (HELO mail-ew0-f211.google.com) (209.85.219.211) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 26 Sep 2009 10:04:04 +0000 Received: by ewy7 with SMTP id 7so3317214ewy.41 for ; Sat, 26 Sep 2009 03:03:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=iaaagcfPzK1p6Wd6AQToOAB0L5bZJ03zrm371NrY0tA=; b=Ghk2/BYSzWZ9qHl3jeQb8C4pCUPbn2rtCUoq7GkBTcrVR73RPOs0PeSzH9IoSBbW5Z kVJ3MQOjKn348Lm0oy0vkoX14vue/Q+gV2DgAU0NFdCMt/qVwofwxget0kRgV6pMm5rs I9vO/TVaM02s4A1XVpC/dlCD3DrY5oj97vjNA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=m00d5EOkW1k/Eon+svBVkkz8Cs9u2fod99m+a/Gq8qLtv23IJ/5dodaFZid7Et1TIy CRzQ77zKmW1FjPkO9nmE9uX7G7JFtf20CTjQfk+fiVC9CTQRY4SpUlEt2Oifrl/TJDit SNY9mC4Ae+SHimJtYR7O0JFc5LEy6dxjVIl0M= MIME-Version: 1.0 Received: by 10.216.45.19 with SMTP id o19mr268977web.152.1253959423077; Sat, 26 Sep 2009 03:03:43 -0700 (PDT) In-Reply-To: <93a0cbe50909141314u40b100abu6f4496185b1a8a6a@mail.gmail.com> References: <1f9222b70909141239q5ca38de1o113b4c832b2cd9be@mail.gmail.com> <93a0cbe50909141314u40b100abu6f4496185b1a8a6a@mail.gmail.com> Date: Sat, 26 Sep 2009 11:03:43 +0100 Message-ID: <1f9222b70909260303y4302334ep5ce7508631157e5e@mail.gmail.com> Subject: Re: Output filter order selection From: Ivan Ristic To: modules-dev@httpd.apache.org Cc: Brian Rectanus Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org [Sorry for my late response Ben, I missed your reply originally. Comments below.] On Mon, Sep 14, 2009 at 9:14 PM, Ben Noordhuis wrote: > On Mon, Sep 14, 2009 at 21:39, Ivan Ristic wrote: >> There's an incompatibility between ModSecurity and mod_deflate, which >> I would like to fix it. (It is triggered when AddOutputFilterByType is >> used.) I basically need to ensure that ModSecurity's output filter >> runs before mod_deflate's in all cases. I am aware of mod_filter >> (which I suspect should be able to deal with this situation), but I >> prefer a solution that does not require further work on the part of >> ModSecurity users. > > It depends. If module X registers its output filter in, for example, > the post-config hook, you can register your own hook and have it run > before module X's like so: > > const char *runAfterUs = { "mod_x.c", NULL }; > ap_hook_post_config(your_post_config_hook, NULL, runAfterUs, HOOK_MIDDLE); > > If however the module registers its output filter during the 'register > hooks' phase like mod_deflate does, your best bet is to register your > own filter and manipulate the ap_filter_rec_t structure (which is > essentially a linked list) so that your filter comes before > mod_deflate's. Yes, I tried that first, but it didn't work. mod_deflate does register its hooks in the register_hooks phase, but they are added to the filter chain only later, by whoever handles the AddOutputFilterByType directive (the core, I am guessing). > It's not entirely according to the book but it should be a fairly > robust solution. ap_filter_rec_t lives in util_filter, which is part > of the module API, and isn't a opaque structure so I don't foresee it > changing anytime soon. > > This is, of course, to the best of my knowledge. I'm not aware of a > better way, but if there is, I'd also like to hear it. =) After some more poking I decided that registering ModSecurity's output filter to run as CONTENT_SET - 3 should be all right. A review of the Apache's code revealed that this method (subtracting and adding from known filter values) is used throughout to ensure filters run before or after other filters. There are some filters (SUBREQ_CORE, mod_expires and mod_cache) that use CONTENT_SET - 1 and CONTENT_SET - 2. No core module uses CONTENT_SET - 3. -- Ivan Ristic Security assessment of your SSL servers https://www.ssllabs.com/ssldb/