httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <>
Subject Re: [users@httpd] mod_lua and subprocess_env
Date Wed, 22 Mar 2017 15:03:17 GMT
On Wed, Mar 22, 2017 at 2:53 PM, Andrei Ivanov <> wrote:
> Welcome back :-)

Thanks ;)

> These expressions don't work anymore: Can't parse value expression :
> Function 'PeerExtList' does not exist
> Header set Client-SAN "expr=%{PeerExtList:}"
> Header set Expr1 "expr='IP Address:'.%{REMOTE_ADDR} -in
> %{PeerExtList:}"

This is not what I proposed (according to the new patch), the above
works only with first/initial (now obsolete) patch.

For the "Client-SAN" header, it fails because
"%{PeerExtList:}" is a list and it can't be evaluated in a
string context (like mod_headers' expr= context).

A string context is what's allowed between the quotes in a full
expression context (like a an <If>'s condition), but omitting/without
the quotes...

So same for the second, "'IP Address:'.%{REMOTE_ADDR}" is not valid in
a string context, you'd have to use expr="IP Address:%{REMOTE_ADDR}"
directly, but still the following "-in %{PeerExtList:}" isn't
valid either (no condition evaluated in a string context...).

That's why my latest patch introduces "%{: <any expression> :}" (note
the leading and trailing colons), so you should be able to:
 Header set Expr1 "expr=%{: 'IP Address:%{REMOTE_ADDR}' -in
PeerExtList('') :}"

but still the above is "false" (my patch also evaluates the conditions
into the strings "true"/"false").
This is because 'IP Address:%{REMOTE_ADDR}' is only a part of the
first entry of PeerExtList('') (which could be expressed
literally as {'email:<redacted1>, email:<redacted2>, IP
Address:, IP Address:0:0:0:0:0:0:0:1, IP
Address:, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44'}),
not an entry on its own (like in {'email:<redacted1>',
'email:<redacted2>', 'IP Address:', 'IP
Address:0:0:0:0:0:0:0:1', 'IP Address:', 'IP

So we need to be able to split a list but applying a regular
expression on all of its entries and creating a new list with the

That's the new "split/<match>/<substitute>/" operator, which will walk
all the list's entries (actually the first and only one in the
PeerExtList('') case) and split them into a new list where
<match>ed, i.e. keep only what's before (hence also after by progress
on the next <match>) and <substitute>d if not empty.

All in one, this gives:
 Header set Expr1 "expr=%{: %{REMOTE_ADDR} -in
(PeerExtList('subjectAltName') =~ split/.*?IP Address:([^,]+)/$1/) :}"
Where we create an %{: expression :} context where we can search for
%{REMOTE_ADDR} -in PeerExtList('subjectAltName') splitted on ".*?IP
Address:([^,]+)" (i.e. skip anything before and including 'IP
Address:' to keep only what follows until the next comma: the IP!).
This one should return "true"...

> I've modified this one to use the "normal" method syntax, hoping that would
> work:
> <If "%{PeerExtList('') =~ /%{REMOTE_ADDR}/">
>     Header set matched-dynamic true
> </If>

Likewise, %{REMOTE_ADDR} cannot be evaluated at init time (when the
regular expression is compiled), thus the failure.

 <If "%{REMOTE_ADDR} -in (PeerExtList('subjectAltName') =~ split/.*?IP
    Header set matched-dynamic true
should work...


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message