Return-Path: Delivered-To: apmail-perl-asp-archive@perl.apache.org Received: (qmail 78967 invoked by uid 500); 4 Jun 2002 01:27:36 -0000 Mailing-List: contact asp-help@perl.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Delivered-To: mailing list asp@perl.apache.org Received: (qmail 78956 invoked from network); 4 Jun 2002 01:27:35 -0000 Mime-Version: 1.0 X-Sender: ellers@celtic.iinet.net.au (Unverified) Message-Id: In-Reply-To: <2EA9DCB0A415D511A08200508B9B074502248354@TRINITY> References: <2EA9DCB0A415D511A08200508B9B074502248354@TRINITY> Date: Tue, 4 Jun 2002 09:31:25 +0800 To: "'asp@perl.apache.org'" From: Ellers Subject: Re: Apache::ASP shows script source when ... Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Apache::ASP definitely works fine under Apache with SSL; we use it with SSL and without SSL with no problems. The problem is almost certainly a matter of configuration. I have found the httpd.conf file to be a bit confusing in that it has a IfDefine (or similar) section around the SSL definitions and my Apache::ASP config options were _outside_ that SSL section, therefore it didn't pick them up. Here is the section (more or less) from the httpd.conf we use: ## SSL Virtual Host Context ## ServerName secure.mysite.com DocumentRoot /data/secure.mysite.com/public_html ErrorLog /data/secure.mysite.com/log/error-secure.log TransferLog /data/secure.mysite.com/log/access-secure.log SSLCertificateFile /etc/ssl/certs/cert1.txt SSLCertificateKeyFile /etc/ssl/private/secure.mysite.com.key SSLEngine on SetHandler perl-script PerlHandler Apache::ASP PerlSetVar UseStrict 1 #PerlSetVar Debug 1 PerlSetVar Debug 2 # ... normal asp config stuff >I think that can be a security issue that a script that >it's meant to work using the HTTP protocol can be seen as source code using HTTPS, even though the debug directive is set correctly. Debug really isn't the issue here. If a web server has no extra definition for a file type, the process goes: - someone requested file "blah.asp" - Q: does Apache have any special options for .asp files in that directory under that vhost? - A: No - ok, just return the file as-is (ie source) But with the appropriate options: - someone requested file "blah.asp" - Q: does Apache have any special options for .asp files in that directory under that vhost? - A: Yes, send it to apache::asp - ah, ok, sending to asp... - got output from asp - returning the ASP output to the caller Any web server, if incorrectly configured, could potentially return the source of the file rather than passing it to (say) Apache::ASP for processing first. The good news is that once the configuration is going you're set and don't have to worry about it. I don't personally like using .htaccess (you used two t's; a typo?) as I like to see all declarations in a sequence in the one file - my brain can't handle too many separate files! Work through the httpd.conf and any .htaccess files and 'parse' it like Apache would; its a configuration issue for sure Ellers >Philip, > >Thanks for your input. The virtual server is the same listening on por 80 >and 443 respectively, I've looked at the documentation and I can't find, >clearly, what directives I need to use. I'm using .httaccess to set the >namespace options. I'll appreciate any directions about what directives I >need to use. Still, I think that can be a security issue that a script that >it's meant to work using the HTTP protocol can be seen as source code using >HTTPS, even though the debug directive is set correctly. > >Thanks for your help! > > > >-------------------------- >Fernando I. Munoz > >--------------------------------------------------------------------- >To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org >For additional commands, e-mail: asp-help@perl.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org For additional commands, e-mail: asp-help@perl.apache.org