All Your URI are Belong to Us Geoffrey Young - - PowerPoint PPT Presentation

all your uri are belong to us
SMART_READER_LITE
LIVE PREVIEW

All Your URI are Belong to Us Geoffrey Young - - PowerPoint PPT Presentation

Nov 08, 2022 245 likes •532 views

All Your URI are Belong to Us Geoffrey Young geoff@modperlcookbook.org 1 http://www.modperlcookbook.org/~geoff/ Apache Request Cycle Client Request Logging URI-based Init Content URI Translation Fixups File-Based Init Resource Control

slide-1
SLIDE 1

http://www.modperlcookbook.org/~geoff/

1

All Your URI are Belong to Us

Geoffrey Young

geoff@modperlcookbook.org

slide-2
SLIDE 2

http://www.modperlcookbook.org/~geoff/

2

Apache Request Cycle

Client Request URI-based Init URI Translation File-Based Init Fixups Content Logging Resource Control Mime Setting

slide-3
SLIDE 3

http://www.modperlcookbook.org/~geoff/

3

Apache Request Cycle

Client Request URI-based Init URI Translation Client Request URI-based Init

slide-4
SLIDE 4

http://www.modperlcookbook.org/~geoff/

4

URI Translation

  • Apache needs to map the URI to a

physical file on disk

  • Default is to prepend DocumentRoot to

the URI

DocumentRoot /usr/local/apache/htdocs

slide-5
SLIDE 5

http://www.modperlcookbook.org/~geoff/

5

URI Translation

  • Directives like Alias override the

default

DocumentRoot /usr/local/apache/htdocs Alias /manual/ /usr/local/apache/manual/ <Directory /usr/local/apache/manual> ... </Directory>

  • Some URIs have no associated file,

but Apache tries anyway

<Location server-status> ... </Location>

slide-6
SLIDE 6

http://www.modperlcookbook.org/~geoff/

6

PerlTransHandler

Client Request URI-based Init PerlTransHandler Client Request URI-based Init

slide-7
SLIDE 7

http://www.modperlcookbook.org/~geoff/

7

PerlTransHandler

  • Useful for overriding the Apache

default

  • Allows you to be extremely devious
  • There are a few pitfalls of which to be

aware

slide-8
SLIDE 8

http://www.modperlcookbook.org/~geoff/

8

Simple PerlTransHandler

  • Be rid of those silly favicon.ico

requests that end up 404

  • Translate the incoming URI to a

common place if it matches favicon.ico

slide-9
SLIDE 9

http://www.modperlcookbook.org/~geoff/

9

package Cookbook::Favicon; use Apache::Constants qw(DECLINED); use strict; sub handler { my $r = shift; $r->uri("/images/favicon.ico") if $r->uri =~ m!/favicon\.ico$!; return DECLINED; } 1;

slide-10
SLIDE 10

http://www.modperlcookbook.org/~geoff/

10

Client Request

GET /foo/bar/baz/biff/favicon.ico HTTP/1.1 Host: www.example.com

slide-11
SLIDE 11

http://www.modperlcookbook.org/~geoff/

11

Client Request URI-based Init Client Request URI-based Init

URI: /foo/bar/baz/biff/favicon.ico

PerlTransHandler

slide-12
SLIDE 12

http://www.modperlcookbook.org/~geoff/

12

Client Request URI-based Init PerlTransHandler Client Request URI-based Init core translation

FILE: /usr/local/apache/htdocs/images/favicon.ico

slide-13
SLIDE 13

http://www.modperlcookbook.org/~geoff/

13

Setup

  • add Favicon.pm to @INC

ServerRoot/lib/perl/Cookbook/Favicon.pm

  • add to httpd.conf

PerlModule Cookbook::Favicon PerlTransHandler Cookbook::Favicon

  • that's it!
slide-14
SLIDE 14

http://www.modperlcookbook.org/~geoff/

14

Winner Takes All

  • The first URI translation handler

to return OK ends the phase

–mod_perl or otherwise

  • Perl handlers usually return DECLINED

–lets Apache's core translation engine do the filesystem mapping

  • Return OK only when you map the file

to disk yourself

slide-15
SLIDE 15

http://www.modperlcookbook.org/~geoff/

15

Why Not Use mod_rewrite?

  • our Cookbook::Favicon is pretty

much the same as

RewriteRule /favicon.ico$ /images/favicon.ico

  • We did it in Perl
  • With Perl comes great power
slide-16
SLIDE 16

http://www.modperlcookbook.org/~geoff/

16

URI-based Sessions

  • A simple cookie-less session scheme

stores the session in the URI

  • Storage can occur in the PATH_INFO

http://manual/index.html/a92c5e

  • Or at the start of the URI

http://a92c5e/manual/index.html

  • The second form has some distinct

advantages

slide-17
SLIDE 17

http://www.modperlcookbook.org/~geoff/

17

package Cookbook::URISessionManager; use Apache::Constants qw(DECLINED OK); use Apache::URI; sub get_session { my $r = shift; my $uri = $r->parsed_uri; # Separate the MD5 session from the real path. my ($session, $path) = $uri->path =~ m!^/([a-fA-F0-9]{32})(/.*)!; return DECLINED unless $session; # Now, put the session in a note... $r->notes(SESSION => $session); # ... and set the URI to the proper path. $r->uri($path); return DECLINED; } 1;

slide-18
SLIDE 18

http://www.modperlcookbook.org/~geoff/

18

Advantages

  • Session parsing is done up front

–everyone else gets the session from notes

my $session = $r->notes('SESSION');

–even C handlers! –true even if you use PATH_INFO

  • Browsers take care of adding the

session to relative links for you

slide-19
SLIDE 19

http://www.modperlcookbook.org/~geoff/

19

Disadvantages

  • The main problem with URI-based

sessions is "session leakage"

  • Session data will show up in Referer

logs whenever someone clicks offsite

  • A simple PerlTransHandler takes care
  • f that
slide-20
SLIDE 20

http://www.modperlcookbook.org/~geoff/

20

package Cookbook::URISessionManager; sub get_session { ... } sub clean_uri { my $r = shift; my ($uri) = $r->uri =~ m!.*(http://.*)!; $r->send_http_header('text/html'); print<<EOF; <html> <head> <meta http-equiv="refresh" content="0;URL=$uri"> </head> <body> you should be going <a href="$uri">here</a> soon </body> </html> EOF return OK; } 1;

slide-21
SLIDE 21

http://www.modperlcookbook.org/~geoff/

21

PerlModule Cookbook::URISessionManager PerlTransHandler Cookbook::URISessionManager::get_session <Location /goodbye> SetHandler perl-script PerlHandler Cookbook::URISessionManager::clean_uri </Location>

httpd.conf

slide-22
SLIDE 22

http://www.modperlcookbook.org/~geoff/

22

Mischievous Behavior

  • Simple URI re-mapping is only the

beginning

  • Apache has this neat, built-in

functionality called proxying

–provided you have mod_proxy installed

  • With mod_perl and mod_proxy you

can proxy just about anything...

slide-23
SLIDE 23

http://www.modperlcookbook.org/~geoff/

23

Advanced PerlTransHandler

  • Create a proxy that uses our local

Apache documentation instead of ASF servers

  • Intercept proxy requests and silently

replace calls to

http://httpd.apache.org/docs

with

/usr/local/apache/htdocs/manual

slide-24
SLIDE 24

http://www.modperlcookbook.org/~geoff/

24

Client Setup

slide-25
SLIDE 25

http://www.modperlcookbook.org/~geoff/

25

Server Setup

  • Add this to httpd.conf

PerlModule My::ManualProxy PerlTransHandler My::ManualProxy

slide-26
SLIDE 26

http://www.modperlcookbook.org/~geoff/

26

package My::ManualProxy; use Apache::Constants qw(OK DECLINED); use strict; sub handler { my $r = shift; return DECLINED unless $r->proxyreq; my (undef, $file) = $r->uri =~ m!^http://(www|httpd).apache.org/(.*)!; if ($file =~ m!^docs/!) { $file =~ s!^docs/!manual/!; $file = join "/", ($r->document_root, $file); if (-f $file) { $r->filename($file); # use local disk return OK; } } return DECLINED; } 1;

slide-27
SLIDE 27

http://www.modperlcookbook.org/~geoff/

27

Apache Request Cycle

Client Request URI-based Init URI Translation File-Based Init Fixups Content Logging Mime Setting Resource Control