httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Gruno <humbed...@apache.org>
Subject Re: [users@httpd] mod_lua and subprocess_env
Date Tue, 14 Feb 2017 12:27:54 GMT
On 02/14/2017 01:24 PM, Andrei Ivanov wrote:
> On Tue, Feb 14, 2017 at 2:19 PM, Daniel Gruno <humbedooh@apache.org
> <mailto:humbedooh@apache.org>> wrote:
> 
>     On 02/14/2017 01:16 PM, Andrei Ivanov wrote:
>     > On Tue, Feb 14, 2017 at 1:59 PM, Daniel Gruno <humbedooh@apache.org <mailto:humbedooh@apache.org>
>     > <mailto:humbedooh@apache.org <mailto:humbedooh@apache.org>>>
wrote:
>     >
>     >     On 02/14/2017 12:38 PM, Andrei Ivanov wrote:
>     >     > Hi,
>     >     > I'm trying to create a lua authorization script but I can't seem to
>     >     > access the request environment:
>     >     >
>     >     > require 'apache2'
>     >     >
>     >     > function authz_check_remote_ip_in_client_san(r)
>     >     >         r:err("remote_ip_in_client_san running...");
>     >     >         r:alert("uri: " .. r.uri);
>     >     >         r:alert("useragent_ip: " .. r.useragent_ip);
>     >     >         local ip = r.subprocess_env["REMOTE_ADDRESS"];
>     >     >         r:crit("REMOTE_ADDRESS: " .. (ip or "N/A"));
>     >     >         r:emerg("SSL_CLIENT_SAN_IPaddr: " ..
>     >     > (r.subprocess_env["SSL_CLIENT_SAN_IPaddr"] or "N/A"));
>     >
>     >
>     > What about r.subprocess_env["REMOTE_ADDRESS"]? Shouldn't that work at least?
> 
>     Not exactly, this isn't CGI - the remote IP is exposed through
>     r.useragent_ip. Getting environment variables is tricky since the Lua VM
>     is sort of detached from the actual thread handling the request.
> 
> 
> I was using the REMOTE_ADDRESS since it was used as an example in a post :-)
> http://lua-users.org/lists/lua-l/2010-07/msg00671.html
> Is subprocess_env working at all?

Shortest answer I can think of is: Yes, but it doesn't do what you think
it does. it's not equivalent to os.getenv().

Perhaps later I'll elaborate on that...when I have my brain with me.

> 
> 
>     >
>     >
>     >     use r:ssl_var_lookup("SSL_CLIENT_SAN_IPaddr") instead.
>     >     r:ssl_var_lookup does the special SSL vars.
>     >
>     >
>     > I don't get a nil now anymore, but I seem to get back an empty string :-(
>     > SSL_CLIENT_SAN_IPaddr should be exposed by mod_nss, activated in this
>     > virtual host.
> 
>     If it's not exposed by mod_ssl, then it may not be available through
>     that call. You should try finding the corresponding mod_ssl variable if
>     possible.
> 
> I'm using mod_nss exactly because mod_ssl doesn't expose that variable
> and my issue that requests that is sitting ignored for 2 months now :-(
> I was hoping this would help:
> <Files ~ "\.(cgi|shtml|phtml|php3|lua?)$">
>     NSSOptions +StdEnvVars
> </Files>
> 
>  
> 
>     >
>     >
>     >
>     >     With regards,
>     >     Daniel.
>     >
>     >     >
>     >     >         return apache2.AUTHZ_GRANTED
>     >     > end
>     >     >
>     >     > The logs show entries like this for the values accessed from
>     >     > r.subprocess_env:
>     >     > REMOTE_ADDRESS: N/A
>     >     > SSL_CLIENT_SAN_IPaddr: N/A
>     >     >
>     >     >
>     >     > LuaScope thread
>     >     > LuaAuthzProvider remote_ip_in_client_san
>     >     > /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
>     >     > authz_check_remote_ip_in_client_san
>     >     > <Location />
>     >     >     Require remote_ip_in_client_san
>     >     >
>     >     >     # these don't seem to work so I'm trying to implement them in a
LUA
>     >     > script
>     >     >     #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
>     >     >     #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
>     >     > </Location>
>     >     >
>     >     > What am I doing wrong?
>     >     >
>     >     > Thank you in advance.
>     >
>     >
>     >     ---------------------------------------------------------------------
>     >     To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     <mailto:users-unsubscribe@httpd.apache.org>
>     >     <mailto:users-unsubscribe@httpd.apache.org
>     <mailto:users-unsubscribe@httpd.apache.org>>
>     >     For additional commands, e-mail: users-help@httpd.apache.org <mailto:users-help@httpd.apache.org>
>     >     <mailto:users-help@httpd.apache.org
>     <mailto:users-help@httpd.apache.org>>
>     >
>     >
> 
> 
>     ---------------------------------------------------------------------
>     To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     <mailto:users-unsubscribe@httpd.apache.org>
>     For additional commands, e-mail: users-help@httpd.apache.org
>     <mailto:users-help@httpd.apache.org>
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message