Return-Path: 
 <users-return-41301-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 25068 invoked from network); 18 May 2004 03:33:08 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 18 May 2004 03:33:08 -0000
Received: (qmail 87757 invoked by uid 500); 18 May 2004 03:33:26 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 87707 invoked by uid 500); 18 May 2004 03:33:25 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
list-post: <mailto:users@httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 87685 invoked by uid 98); 18 May 2004 03:33:25 -0000
Received: from purlgurl@purlgurl.net by hermes.apache.org by uid 82 with
 qmail-scanner-1.20
 (clamuko: 0.70.  Clear:RC:0(66.215.191.86):.
 Processed in 0.013431 secs); 18 May 2004 03:33:25 -0000
X-Qmail-Scanner-Mail-From: purlgurl@purlgurl.net via hermes.apache.org
X-Qmail-Scanner: 1.20 (Clear:RC:0(66.215.191.86):. Processed in 0.013431 secs)
Received: from unknown (HELO mail.purlgurl.net) (66.215.191.86)
  by hermes.apache.org with SMTP; 18 May 2004 03:33:25 -0000
Received: from purlgurl.net ([192.168.1.1])
        by mail.purlgurl.net (Purl Gurl Mail Server Rocks!) with ESMTP id
 HSR37874
        for <users@httpd.apache.org>; Mon, 17 May 2004 20:32:43 -0700
Message-ID: <40A983DA.3B3C383F@purlgurl.net>
Date: Mon, 17 May 2004 20:32:42 -0700
From: Purl Gurl <purlgurl@purlgurl.net>
Organization: Intellectuals For Enlightenment Of Sissified Geeks
X-Mailer: Mozilla GODZILLA! GO GO GODZILLA!
                                                                                                                                                                              ;
 U)
X-Accept-Language: en
MIME-Version: 1.0
To: users@httpd.apache.org
References: 
 <2576812186CDD411BF1500508B6DCE9507366DA0@ECNWRI1.ontario.int.ec.gc.ca>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Rating: hermes.apache.org 1.6.2 0/1000/N
Subject: Re: [users@httpd] Setting environment variables based on query string
 specifics
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

Tom wrote:

(snipped for brevity)

> I have a CGI binary running in Apache.  The executable runs differently
> based on configuration files, i.e.
 
> http://localhost/cgi-bin/ ...  P.map

> ...will behave differently than:
 
> http://localhost/cgi-bin/ ...  g.map
 
> We would like to conceal this environment variable as it points to a file
> path.
 

Tom, I looked at variables which are hooked into set environment.
My hope was to find a variable which could be used easily and
not disclose your sensitive data. Etag caught my eye, but further
research discloses this would not be a good choice.

Concealing URL data, query string data, is always challenging.
Even when you can hide this from a browser, there are ways
to discover the data, such as sniffing the stream. Proxitron
has a nice feature for this, which is not nice for you.

What I always do, literally, to conceal sensitive data, is to
"secret code" my data, pump it into a cgi application, then
return results to a browser.

A simple example,

http .. url?input=a
http .. url?input=b
http .. url?input=c

A client only sees the a, b and c part of the query. Some
security risks there, but acceptable.

Within my cgi application, the query string is parsed,
my "secret code" translated to arguments, another program
is excuted and returns are then printed to the client. 

You have a single cgi application which accepts input
from any number of pages, form actions, query strings,
whatever, a single application which performs all the
work while concealing arguments and locations. This
is a "middle man" approach, which is what cgi does best.

I am not sure using Apache for this is your best option.
You could use Apache, could use rewrite rules or other
methods, but I think you will find this not efficient
and rather challenging to establish, with security.

There is really only one method, of which I know, to
conceal this type of data specific to your circumstances.
This method is to keep your client outside, keep data
completely internal and well protected.

Maybe others know of methods and will share them.

Kira

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org