setting a server variable

Hi,

I'm new to mod_perl and I'm having some difficulty understanding a few things.
I'd like to write an Apache module which authenticates a request based on the URL.
I only want the module to deny invalid requests and allow valid requests to be processed as normal.

A more specific example would be like:

Request URL: http://myhost.com/REALLY-SECURE-TOKEN/file2download
Module logic: if REALLY-SECURE-TOKEN is valid, allow the request to continue - else, stop request with an error

External application logic: if request got here without error then
find the file2download and write it to the output stream - else, show
custom error


I think the best way to do this is something like:

1) Write a module which evaluates the URL and places a variable in the request's scope
2)
Use mod_rewrite to evaluate the newly set variable and pass execution
to the proper place with any error code that might have been placed in
the variable

I've been reading books, howto's, and on-line documentation for the past two days and I still have no idea where to begin.
Any advice would be greatly appreciated.

Thanks,

Ty

Re: setting a server variable

tyju tiui wrote:
> Hi,
>
> I'm new to mod_perl and I'm having some difficulty understanding a few things.
> I'd like to write an Apache module which authenticates a request based on the URL.
> I only want the module to deny invalid requests and allow valid requests to be processed as normal.
>
> A more specific example would be like:
>
> Request URL: http://myhost.com/REALLY-SECURE-TOKEN/file2download
> Module logic: if REALLY-SECURE-TOKEN is valid, allow the request to continue - else, stop request with an error
>
> External application logic: if request got here without error then
> find the file2download and write it to the output stream - else, show
> custom error
>
>
> I think the best way to do this is something like:
>
> 1) Write a module which evaluates the URL and places a variable in the request's scope
> 2)
> Use mod_rewrite to evaluate the newly set variable and pass execution
> to the proper place with any error code that might have been placed in
> the variable
>
With mod_perl, it might not be so complicated.
What you probably want is a PerlAccessHandler module.
This will check if the request URL is ok (valid token).
If it is, it returns Apache2::Const::OK, and Apache will continue
processing the request (e.g., sending the file).
If the token is not ok, it returns Apache2::Const::FORBIDDEN, and Apache
will (automatically) return an error page telling the user he is not
allowed to do that.

Look there for an explanation and an example :
http://perl.apache.org/docs/2.0/user/handlers/http.html#Perl AccessHandler

In your case, forget the Apache2::Connection and the IP-linked stuff,
and replace it with your code to check the URL.
In the Apache configuration, you would have something like this :


.. general rules for allowing things like html pages, gifs etc..


# where your files are
SetHandler mod_perl
PerlAccessHandler MyModule
....



And that's basically it.
Now, if this is your first mod_perl Apache add-on module, you'll have to
figure out some more stuff, but it's fun.

André

Re: setting a server variable

On Fri, 13 Jun 2008 19:56:14 -0700 (PDT)
tyju tiui wrote:

>
> Hi,
>
> I'm new to mod_perl and I'm having some difficulty understanding a
> few things. I'd like to write an Apache module which authenticates a
> request based on the URL. I only want the module to deny invalid
> requests and allow valid requests to be processed as normal.
>
> A more specific example would be like:
>
> Request URL: http://myhost.com/REALLY-SECURE-TOKEN/file2download
> Module logic: if REALLY-SECURE-TOKEN is valid, allow the request
> to continue - else, stop request with an error
> External application logic: if request got here without error then
> find the file2download and write it to the output stream - else, show
> custom error
>
>
> I think the best way to do this is something like:
>
> 1) Write a module which evaluates the URL and places a variable in
> the request's scope
> 2)
> Use mod_rewrite to evaluate the newly set variable and pass execution
> to the proper place with any error code that might have been placed in
> the variable
>
> I've been reading books, howto's, and on-line documentation for the
> past two days and I still have no idea where to begin. Any advice
> would be greatly appreciated.

My advice would be to change your URLs to be:

http://myhost.com/securefiles/REALLY-SECURE-TOKEN/filename

Then write a handler that does something along these lines:

use Apache2::RequestRec;
use Apache2::RequestUtil;
use Apache2::RequestIO;

sub handler {
my $r = shift;

# Get the parts of the URI we are interested in
my $uri = $r->uri;
my $root = $r->location;

$uri =~ s!^$root!!; # Strip off http://myhose.com/securefiles
$uri =~ s!//!/!og; # Remove any double slashes
$uri =~ s!^/!!o; # Remove the first slash

# Now that we're left with just REALLY-SECURE-KEY/filename,
# split it up
my ( $secure_key, $filename ) = split( '/', $uri );

# Verify the secure key
if( verify( $secure_key ) ) {
$r->sendfile( $filename );
return( Apache2::Const::OK );
}
else {
return( Apache2::Const::FORBIDDEN );
}

}

}

It would be configured as:


SetHandler modperl
PerlResponseHandler YourHandlerNameHere


You could also do this as an AuthHandler as was previously
mentioned, but for something this simple I don't see much
point in breaking it up unless you're going to use these
secure keys for many different things.

-------------------------------------------------------
Frank Wiles, Revolution Systems, LLC.
Personal : frank@wiles.org http://www.wiles.org
Work : frank@revsys.com http://www.revsys.com

Re: setting a server variable

Andr=E9, Thanks so much for your kind advice.=0AI tried the example yo=
u suggested and I think this is exactly what I need. I have one proble=
m now though.=0AThe file download script I am currently using is written in=
php and it is quite elaborate (in other words I'd like to keep if I can).=
=0AMy PerlAccessHandler does it's job nicely, but now the php script isn't =
found. My config looks like: =0A =
SetHandler perl-script=0A PerlAccessHandler MyApache2::DLAuth=0A =
My index.php file is also in /downloads and it handles ev=
erything after the auth is done.=0AI'm thinking the 'SetHandler' directive =
has something to do with my php script no longer working but I'm unsure how=
to work around the problem.=0AAny ideas? Perhaps this a question for the a=
pache http forums? Thanks again for all your help, Ty =
----- Original Message ----=0AFrom: Andr=E9 Warnier =0ATo: m=
odperl@perl.apache.org=0ACc: tyju tiui =0ASent: Saturd=
ay, June 14, 2008 3:57:31 AM=0ASubject: Re: setting a server variable =
tyju tiui wrote:=0A> Hi,=0A> =0A> I'm new to mod_perl and I'm having =
some difficulty understanding a few things.=0A> I'd like to write an Apache=
module which authenticates a request based on the URL.=0A> I only want the=
module to deny invalid requests and allow valid requests to be processed a=
s normal.=0A> =0A> A more specific example would be like:=0A> =0A> Requ=
est URL: http://myhost.com/REALLY-SECURE-TOKEN/file2download=0A> Module=
logic: if REALLY-SECURE-TOKEN is valid, allow the request to continue - el=
se, stop request with an error=0A> =0A> External application logic: if r=
equest got here without error then=0A> find the file2download and write it =
to the output stream - else, show=0A> custom error=0A> =0A> =0A> I think=
the best way to do this is something like:=0A> =0A> 1) Write a module whic=
h evaluates the URL and places a variable in the request's scope =0A> 2)=0A=
> Use mod_rewrite to evaluate the newly set variable and pass execution=0A>=
to the proper place with any error code that might have been placed in=0A>=
the variable=0A> =0AWith mod_perl, it might not be so complicated.=0AWhat =
you probably want is a PerlAccessHandler module.=0AThis will check if the r=
equest URL is ok (valid token).=0AIf it is, it returns Apache2::Const::OK, =
and Apache will continue =0Aprocessing the request (e.g., sending the file)=
..=0AIf the token is not ok, it returns Apache2::Const::FORBIDDEN, and Apach=
e =0Awill (automatically) return an error page telling the user he is not =
=0Aallowed to do that. Look there for an explanation and an example : =
=0Ahttp://perl.apache.org/docs/2.0/user/handlers/http.html#P erlAccessHandle=
r In your case, forget the Apache2::Connection and the IP-linked stuff=
, =0Aand replace it with your code to check the URL.=0AIn the Apache config=
uration, you would have something like this : =0A .. gene=
ral rules for allowing things like html pages, gifs etc..=0A=0A<=
Location /downloads>=0A# where your files are=0ASetHandler mod_perl=0APerlA=
ccessHandler MyModule=0A...=0A =0AAnd that's basically it.=
=0ANow, if this is your first mod_perl Apache add-on module, you'll have to=
=0Afigure out some more stuff, but it's fun. André

Re: setting a server variable

I found a solution. Not sure if it is the most efficient solution or not, b=
ut it works. =0A SetHandler perl-scri=
pt=0A PerlAccessHandler MyApache2:DLAuth=0A RewriteEngine On=
=0A RewriteCond %{ENV:DL_OK} ^VALID$=0A RewriteRule ^(.*)$ /e=
xt/download/index.php [L]=0A RewriteCond %{ENV:DL_OK} !^VALID$=0A =
RewriteRule ^(.*)$ /ext/download/index.php?err=3D%{ENV:DL_OK} [L]=0A =
Thanks again for everyone's help! ----- Original Me=
ssage ----=0AFrom: tyju tiui =0ATo: Andr=E9 Warnier w@ice-sa.com>; modperl@perl.apache.org=0ASent: Monday, June 16, 2008 1:45:3=
0 PM=0ASubject: Re: setting a server variable Andr=E9, Thanks so =
much for your kind advice.=0AI tried the example you suggested and I think =
this is exactly what I need. I have one problem now though.=0AThe file=
download script I am currently using is written in php and it is quite ela=
borate (in other words I'd like to keep if I can).=0AMy PerlAccessHandler d=
oes it's job nicely, but now the php script isn't found. My config loo=
ks like: =0A SetHandler perl-script=
=0A PerlAccessHandler MyApache2::DLAuth=0A My in=
dex.php file is also in /downloads and it handles everything after the auth=
is done.=0AI'm thinking the 'SetHandler' directive has something to do wit=
h my php script no longer working but I'm unsure how to work around the pro=
blem.=0AAny ideas? Perhaps this a question for the apache http forums?=0A=
=0AThanks again for all your help, Ty ----- Original Messag=
e ----=0AFrom: Andr=E9 Warnier =0ATo: modperl@perl.apache.or=
g=0ACc: tyju tiui =0ASent: Saturday, June 14, 2008 3:5=
7:31 AM=0ASubject: Re: setting a server variable tyju tiui wrote=
:=0A> Hi,=0A> =0A> I'm new to mod_perl and I'm having some difficulty under=
standing a few things.=0A> I'd like to write an Apache module which authent=
icates a request based on the URL.=0A> I only want the module to deny inval=
id requests and allow valid requests to be processed as normal.=0A> =0A> A =
more specific example would be like:=0A> =0A> Request URL: http://myhos=
t.com/REALLY-SECURE-TOKEN/file2download=0A> Module logic: if REALLY-SEC=
URE-TOKEN is valid, allow the request to continue - else, stop request with=
an error=0A> =0A> External application logic: if request got here witho=
ut error then=0A> find the file2download and write it to the output stream =
- else, show=0A> custom error=0A> =0A> =0A> I think the best way to do t=
his is something like:=0A> =0A> 1) Write a module which evaluates the URL a=
nd places a variable in the request's scope =0A> 2)=0A> Use mod_rewrite to =
evaluate the newly set variable and pass execution=0A> to the proper place =
with any error code that might have been placed in=0A> the variable=0A> =0A=
With mod_perl, it might not be so complicated.=0AWhat you probably want is =
a PerlAccessHandler module.=0AThis will check if the request URL is ok (val=
id token).=0AIf it is, it returns Apache2::Const::OK, and Apache will conti=
nue =0Aprocessing the request (e.g., sending the file).=0AIf the token is n=
ot ok, it returns Apache2::Const::FORBIDDEN, and Apache =0Awill (automatica=
lly) return an error page telling the user he is not =0Aallowed to do that.=
Look there for an explanation and an example : =0Ahttp://perl.apache.=
org/docs/2.0/user/handlers/http.html#PerlAccessHandler In your case, f=
orget the Apache2::Connection and the IP-linked stuff, =0Aand replace it wi=
th your code to check the URL.=0AIn the Apache configuration, you would hav=
e something like this : =0A .. general rules for allowing=
things like html pages, gifs etc..=0A=0A=
=0A# where your files are=0ASetHandler mod_perl=0APerlAccessHandler MyModul=
e=0A...=0A =0AAnd that's basically it.=0ANow, if this is yo=
ur first mod_perl Apache add-on module, you'll have to =0Afigure out some m=
ore stuff, but it's fun. André