HostnameLookups Off not being respected

am 11.05.2007 20:08:45 von bitbucket

yeah, new to alot of this stuff...

environment: OpenBSD/i386 4.0, default chrooted apache, a handful of
VirtualHosts. i only have an SSL cert for one VirtualHost, and for now i'm
using one ip address.

Server: Apache/1.3.29 (Unix) PHP/4.4.1 mod_ssl/2.8.16 OpenSSL/0.9.7j

HostnameLookups Off is the default value, and i haven't changed it. the
_only_ thing i have changed in my httpd.conf recently was to setup a
VirtualHost within the SSL context.

each VirtualHost has it's own logging statement, and in every one of them,
HostnameLookups Off is working---in other words, only ip addresses get
logged. but in one VirtualHost, it seems bound and determined to reverse
lookup every single request. i view this as a fairly stupid (and some might
say unfriendly) thing to do, so i'd like to cut it out.

i've tried stuffing HostnameLookups Off in the stanza of the
host that's doing this, but to no avail. i know that sometimes a missing
(ie, closing a stanza) can sometimes cause weird things to
happen. my httpd.conf passes muster with apachectl configtest, and i can't
spot anything amiss.

i can backout the last change i made, but of course i'd like to find out
where i went wrong. the last change i made is a three line diff defining my
new SSL virtual host

can someone hit me with a cluestick?

thanks.

Re: HostnameLookups Off not being respected

am 11.05.2007 20:59:27 von shimmyshack

bitbucket wrote:
> yeah, new to alot of this stuff...
>
> environment: OpenBSD/i386 4.0, default chrooted apache, a handful of
> VirtualHosts. i only have an SSL cert for one VirtualHost, and for now i'm
> using one ip address.
>
> Server: Apache/1.3.29 (Unix) PHP/4.4.1 mod_ssl/2.8.16 OpenSSL/0.9.7j
>
> HostnameLookups Off is the default value, and i haven't changed it. the
> _only_ thing i have changed in my httpd.conf recently was to setup a
> VirtualHost within the SSL context.
>
> each VirtualHost has it's own logging statement, and in every one of them,
> HostnameLookups Off is working---in other words, only ip addresses get
> logged. but in one VirtualHost, it seems bound and determined to reverse
> lookup every single request. i view this as a fairly stupid (and some might
> say unfriendly) thing to do, so i'd like to cut it out.
>
> i've tried stuffing HostnameLookups Off in the stanza of the
> host that's doing this, but to no avail. i know that sometimes a missing
> (ie, closing a stanza) can sometimes cause weird things to
> happen. my httpd.conf passes muster with apachectl configtest, and i can't
> spot anything amiss.
>
> i can backout the last change i made, but of course i'd like to find out
> where i went wrong. the last change i made is a three line diff defining my
> new SSL virtual host
>
> can someone hit me with a cluestick?
>
> thanks.

when you did this
> the _only_ thing i have changed in my httpd.conf recently was to setup a
> VirtualHost within the SSL context.
did you also put something like this:

Oder Allow,Deny
Allow from hostname.com

if you did, it performs a double [paranoid] lookup overriding
hostnamelookups off setting

Re: HostnameLookups Off not being respected

am 11.05.2007 20:59:32 von shimmyshack

Re: HostnameLookups Off not being respected

am 11.05.2007 23:53:55 von bitbucket

On 11 May 2007 11:59:27 -0700, shimmyshack wrote:
|
| bitbucket wrote:
| > yeah, new to alot of this stuff...

| > i've tried stuffing HostnameLookups Off in the stanza of the
| > host that's doing this, but to no avail. i know that sometimes a missing
| > (ie, closing a stanza) can sometimes cause weird things to
| > happen. my httpd.conf passes muster with apachectl configtest, and i can't
| > spot anything amiss.

| when you did this
| > the _only_ thing i have changed in my httpd.conf recently was to setup a
| > VirtualHost within the SSL context.
| did you also put something like this:
|
| Oder Allow,Deny
| Allow from hostname.com
|
| if you did, it performs a double [paranoid] lookup overriding
| hostnamelookups off setting

well here's a partial diff:

--- config_files/httpd.conf 1 May 2007 01:01:16 -0000 1.21
+++ config_files/httpd.conf 11 May 2007 18:22:53 -0000
@@ -728,8 +728,6 @@
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

- Order allow,deny
- deny from undesirable.com
Allow from all

@@ -1095,6 +1093,7 @@
ServerAdmin webmaster@lpmd.org
DocumentRoot /var/www/lpmd.org
ServerName www.lpmd.org
+ HostnameLookups Off
ErrorLog logs/error_log.lpmd
CustomLog logs/access_log.lpmd common

now that i think of it, i think i shouldn't have deleted that Order
allow,deny line, so i think i will take a look at that as soon as i get a
chance... but _that_ change was an effort to ``fix'' the problem that was
introduced with this diffi (yes, a fairly large diff, but i'm mostly just
cleaning up commented code):

admittedly, my knowledge is a bit nascent, but i'm just not seeing what
could have introduced the change in behavior. i will look at it with a
keener eye when i get a chance this weekend.

@@ -1251,105 +1250,19 @@
## SSL Virtual Host Context
##

-
-
-# General setup for the virtual host
-# DocumentRoot /var/www/htdocs
-# ServerName new.host.name
-# ServerAdmin you@your.address
-# ErrorLog logs/error_log
-# TransferLog logs/access_log
-
-# SSL Engine Switch:
-# Enable/Disable SSL for this virtual host.
-SSLEngine on
-
-# SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-#SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
-
-# Server Certificate:
-# Point SSLCertificateFile at a PEM encoded certificate. If
-# the certificate is encrypted, then you will be prompted for a
-# pass phrase. Note that a kill -HUP will prompt again. A test
-# certificate can be generated with `make certificate' under
-# built time.
-SSLCertificateFile /etc/ssl/server.crt
-
-# Server Private Key:
-# If the key is not combined with the certificate, use this
-# directive to point at the key file.
-SSLCertificateKeyFile /etc/ssl/private/server.key
-
-# Certificate Authority (CA):
-# Set the CA certificate verification path where to find CA
-# certificates for client authentication or alternatively one
-# huge file containing all of them (file must be PEM encoded)
-# Note: Inside SSLCACertificatePath you need hash symlinks
-# to point to the certificate files. Use the provided
-# Makefile to update the hash symlinks after changes.
-#SSLCACertificatePath /var/www/conf/ssl.crt
-#SSLCACertificateFile /var/www/conf/ssl.crt/ca-bundle.crt
-
-# Client Authentication (Type):
-# Client certificate verification type and depth. Types are
-# none, optional, require and optional_no_ca. Depth is a
-# number which specifies how deeply to verify the certificate
-# issuer chain before deciding the certificate is not valid.
-#SSLVerifyClient require
-#SSLVerifyDepth 10
-
-# Access Control:
-# With SSLRequire you can do per-directory access control based
-# on arbitrary complex boolean expressions containing server
-# variable checks and other lookup directives. The syntax is a
-# mixture between C and Perl. See the mod_ssl documentation
-# for more details.
-#
-#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
-# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
-# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
-# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
-# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
-# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-#
-
-# Don't bother looking for favicon.ico
-Redirect 404 /favicon.ico
-
-# Don't bother sending the custom error page for favicon.ico
-
- ErrorDocument 404 "No favicon"
-
-
-# SSL Engine Options:
-# Set various options for the SSL engine.
-# FakeBasicAuth:
-# Translate the client X.509 into a Basic Authorisation. This means that
-# the standard Auth/DBMAuth methods can be used for access control. The
-# user name is the `one line' version of the client's X.509 certificate.
-# Note that no password is obtained from the user. Every entry in the user
-# file needs this password: `xxj31ZMTZzkVA'.
-# ExportCertData:
-# This exports two additional environment variables: SSL_CLIENT_CERT and
-# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
-# server (always existing) and the client (only existing when client
-# authentication is used). This can be used to import the certificates
-# into CGI scripts.
-# CompatEnvVars:
-# This exports obsolete environment variables for backward compatibility
-# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
-# to provide compatibility to existing CGI scripts.
-#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars
-
-# Per-Server Logging:
-# The home of a custom SSL log file. Use this when you want a
-# compact non-error SSL logfile on a virtual host basis.
-CustomLog logs/ssl_request_log \
+
+ ServerName qa.lpmd.org
+ DocumentRoot /var/www/qa
+ ServerAdmin webmaster@lpmd.org
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/server.crt
+ SSLCertificateKeyFile /etc/ssl/private/server.key
+ Redirect 404 /favicon.ico
+
+ ErrorDocument 404 "No favicon"
+
+ CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-
-
+

-

Re: HostnameLookups Off not being respected

am 12.05.2007 00:49:38 von bitbucket

On 11 May 2007 11:59:32 -0700, shimmyshack wrote:
|
| bitbucket wrote:
| > yeah, new to alot of this stuff...
| >
| > environment: OpenBSD/i386 4.0, default chrooted apache, a handful of
| > VirtualHosts. i only have an SSL cert for one VirtualHost, and for now i'm
| > using one ip address.
| >
| > Server: Apache/1.3.29 (Unix) PHP/4.4.1 mod_ssl/2.8.16 OpenSSL/0.9.7j
| >
| > HostnameLookups Off is the default value, and i haven't changed it. the
| > _only_ thing i have changed in my httpd.conf recently was to setup a
| > VirtualHost within the SSL context.
| >
| > each VirtualHost has it's own logging statement, and in every one of them,
| > HostnameLookups Off is working---in other words, only ip addresses get
| > logged. but in one VirtualHost, it seems bound and determined to reverse
| > lookup every single request. i view this as a fairly stupid (and some might
| > say unfriendly) thing to do, so i'd like to cut it out.
| >
| > i've tried stuffing HostnameLookups Off in the stanza of the
| > host that's doing this, but to no avail. i know that sometimes a missing
| > (ie, closing a stanza) can sometimes cause weird things to
| > happen. my httpd.conf passes muster with apachectl configtest, and i can't
| > spot anything amiss.
| >
| > i can backout the last change i made, but of course i'd like to find out
| > where i went wrong. the last change i made is a three line diff defining my
| > new SSL virtual host
| >
| > can someone hit me with a cluestick?
| >
| > thanks.
|
|
| when you did this
| > the _only_ thing i have changed in my httpd.conf recently was to setup a
| > VirtualHost within the SSL context.
| did you also put something like this:
|
| Oder Allow,Deny
| Allow from hostname.com
|
| if you did, it performs a double [paranoid] lookup overriding
| hostnamelookups off setting

actually i did a:

Order Allow,Deny
Deny from foo.com
Allow from all

but i think i understand. undoing that fixed my problem. i think i
understand why. thanks for the help.