perl-asp mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ellers <ell...@iinet.net.au>
Subject Re: Apache::ASP shows script source when ...
Date Tue, 04 Jun 2002 01:31:25 GMT
Apache::ASP definitely works fine under Apache with SSL; we use it 
with SSL and without SSL with no problems.

The problem is almost certainly a matter of configuration. I have 
found the httpd.conf file to be a bit confusing in that it has a 
IfDefine (or similar) section around the SSL definitions and my 
Apache::ASP config options were _outside_ that SSL section, therefore 
it didn't pick them up.


Here is the section (more or less) from the httpd.conf we use:

## SSL Virtual Host Context
##

<VirtualHost 192.168.0.1:443>
  ServerName secure.mysite.com 
  DocumentRoot /data/secure.mysite.com/public_html
  ErrorLog /data/secure.mysite.com/log/error-secure.log
  TransferLog /data/secure.mysite.com/log/access-secure.log
  SSLCertificateFile /etc/ssl/certs/cert1.txt
  SSLCertificateKeyFile /etc/ssl/private/secure.mysite.com.key
  SSLEngine on
  <Directory /data/secure.mysite.com/public_html/ >
   <Files ~ (\.asp)>
     SetHandler perl-script
     PerlHandler Apache::ASP
     PerlSetVar UseStrict 1
     #PerlSetVar Debug 1
     PerlSetVar Debug 2
     # ... normal asp config stuff
   </Files>
  </Directory>



>I think that can be a security issue that a script that
>it's meant to work using the HTTP protocol can be seen as source code using
HTTPS, even though the debug directive is set correctly.

Debug really isn't the issue here.

If a web server has no extra definition for a file type, the process goes:

   - someone requested file "blah.asp"
   - Q: does Apache have any special options for .asp files in that
     directory under that vhost?
   - A: No
   - ok, just return the file as-is (ie source)

But with the appropriate options:

   - someone requested file "blah.asp"
   - Q: does Apache have any special options for .asp files in that
     directory under that vhost?
   - A: Yes, send it to apache::asp
   - ah, ok, sending to asp...
   - got output from asp
   - returning the ASP output to the caller

Any web server, if incorrectly configured, could potentially return 
the source of the file rather than passing it to (say) Apache::ASP 
for processing first.

The good news is that once the configuration is going you're set and 
don't have to worry about it.

I don't personally like using .htaccess (you used two t's; a typo?) 
as I like to see all declarations in a sequence in the one file - my 
brain can't handle too many separate files!

Work through the httpd.conf and any .htaccess files and 'parse' it 
like Apache would; its a configuration issue for sure

Ellers


>Philip,
>
>Thanks for your input. The virtual server is the same listening on por 80
>and 443 respectively, I've looked at the documentation and I can't find,
>clearly, what directives I need to use. I'm using .httaccess to set the
>namespace options. I'll appreciate any directions about what directives I
>need to use. Still, I think that can be a security issue that a script that
>it's meant to work using the HTTP protocol can be seen as source code using
>HTTPS, even though the debug directive is set correctly.
>
>Thanks for your help!
>
>
>
>--------------------------
>Fernando I. Munoz
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
>For additional commands, e-mail: asp-help@perl.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org


Mime
View raw message