Date: Thu, 10 Jun 2004 20:59:27 -0400 From: Bill Moran <wmoran@potentialtech.com> To: Bill Moran <wmoran@potentialtech.com> Cc: tt-list@simplenet.com Subject: Re: Frontpage and jails and possible alternatives Message-ID: <20040610205927.4305773d.wmoran@potentialtech.com> In-Reply-To: <20040610193323.6217f5d5.wmoran@potentialtech.com> References: <20040610103818.148867d2.wmoran@potentialtech.com> <6.0.1.1.0.20040610091022.01eecec0@mail1.simplenet.com> <20040610124237.3b5b6687.wmoran@potentialtech.com> <6.0.1.1.0.20040610095745.04dc23f0@mail1.simplenet.com> <20040610133850.3de5367a.wmoran@potentialtech.com> <6.0.1.1.0.20040610134107.04accc70@mail1.simplenet.com> <20040610193323.6217f5d5.wmoran@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is for the archives ... I have good news and bad news. The bad news is that I can't repeat the bizaar IP binding behaviour on a test box. On this test box, it works as expected. Figures ... the only time it won't work right is on a production box! <grumble grumble> The good news is that jails rock! Apache_fp runs happily inside a jail and is incapable of binding to other IPs on the machine (aside from the one IP assigned to the jail). Of course, this is also chroot in nature, so any exploits that may show up are limited to the directory tree I set aside for the jail. So, I'm kind of frustrated that I have this mysterious behaviour that I can't explain, but I'm pretty happy that I have a solution/workaround to move forward in spite of the issue. In a few days, the troublesome installation won't even exist anymore, it'll have been replaced with a jail! Bill Moran <wmoran@potentialtech.com> wrote: > Tim Traver <tt-list@simplenet.com> wrote: > > Bill, > > > > ok, I tested this out for ya, and I couldn't duplicate the issue. FreeBSD > > 4.8... > > Thanks for taking time to research this, Tim. > > > I put an additional IP on the main interface, and started apache with > > Listen IP:80 for each IP. The server has mod_frontpage using apache 1.3.29. > > I even tried have the BindAddress in the conf file as well. > > The only (potential) problem here is that I'm not running mod_frontpage, I'm > running the apache13-fp port. I've got a feeling that mod_frontpage is > better behaved. > > > Sorry, I don't have the extra time to install 1.3.31 and recompile for ya, > > but I think there is something else going on there... > > > > Where in the conf file is your Listen directive ? > > I just uncommented the one from the default config file and put the correct > IP in it. > > > What OS ? > > 4.9-RELEASE-p7 > > > Is there > > anything listening on port 80 when you have apache off ? > > No. > > > Is your IP an > > alias to the primary interface ? > > No. I only have one NIC with one IP at this time ... this is going to change > soon, though ... that's why I'm trying to sort this out. > > > I really don't think that the frontpage module even has the ability to > > change what apache binds to... > > Like I said, you wouldn't think so. I have a feeling the apache13_fp port > somehow compiles Frontpage int Apache, or something ... > > > Anyways, thought I would let you know that I couldn't reproduce it... > > Like I said. I really appreciate you taking time to look into this. I'm going > to find time to try out the mod_frontpage port to see if it's better behaved. > > > > > Tim. > > > > > > At 10:38 AM 6/10/2004, Bill Moran wrote: > > >Tim Traver <tt-list@simplenet.com> wrote: > > > > > > > Bill, > > > > > > > > I use the latest mod_frontpage module with Apache 1.3.31... > > > > > > > > I haven't tested whether or not it binds to *:80 or not when I specify > > > an IP. > > > > > > > > How are you specifying the IP in the conf file ? Are you just using Listen > > > > xxx.xxx.xxx.xxx:80 ? > > > > > >Both of the following: > > > > > >Listen xx.xx.xx.xx:80 > > >BindAddress xx.xx.xx.xx > > > > > >I have another server here (used for development) with a fairly vanilla Apache > > >install, and changing those same two settings causes it to do what I'd expect. > > > > > >I can't find any directives in the Frontpage Apache config that might > > >cause this > > >... but I suppose it's possible that I'm missing something. > > > > > > > At 09:42 AM 6/10/2004, Bill Moran wrote: > > > > >Tim Traver <tt-list@simplenet.com> wrote: > > > > > > > > > > > Bill, > > > > > > > > > > > > Not sure what you mean that frontpage caused apache to bind to all > > > > > > IP's...it shouldn't... > > > > > > > > > >I agree. > > > > > > > > > > > The frontpage apache module should respect any of the virtual hosts or > > > > > > virtual IP's that you have set up in apache. > > > > > > > > > >It definately should. > > > > > > > > > > > The module is just a way for > > > > > > apache to run the fp.exe wrapper script around the frontpage binary. I > > > > > > don't know how it would even be able to force apache to bind to > > > anything... > > > > > > > > > >Nor do I. > > > > > > > > > > > Are you sure about that ??? > > > > > > > > > >Yes. When I configured Apache to only listen on 1 IP address, > > > sockstat then > > > > >showed it listening on that address in addition to *:80. The exact same > > > > >config changes on a machine without fp installed resulted in the expected > > > > >behaviour. > > > > > > > > > >Now, I haven't been idle since I made that first post ... It seems > > > there are > > > > >two frontpage ports, apache_fp and mod_frontpage. I've got apache_fp > > > > >installed. > > > > > > > > > >Anyone using mod_frontpage that can say whether it's better or worse? > > > > > > > > > > > At 07:38 AM 6/10/2004, Bill Moran wrote: > > > > > > > > > > > > >I just learned that if you run Apache+Frontpage, you can't teach > > > Apache to > > > > > > >only listen on a single IP address. For some reason, Frontpage causes > > > > > > >Apache to always bind to all IP addresses. Somehow, this stupidity > > > > > doesn't > > > > > > >really surprise me too much. > > > > > > > > > > > > > >The reason I wanted to do this is because I have a machine I want to > > > > > > >set jails up on, so I can run multiple instances of Apache. But I > > > didn't > > > > > > >want to mess with the existing Apache installation right now. > > > > > > > > > > > > > >Anyway ... in the long run I've got two choices: > > > > > > >1) Get Apache+Frontpage running in a jail so it will quit fscking up > > > > > the other > > > > > > > stuff I'm trying to do on this machine > > > > > > >2) Find some alternative to frontpage to provide frontpage > > > services that > > > > > > > behaves like a proper server. > > > > > > > > > > > > > >My questions are (respectively): > > > > > > >1) Does anyone have Apache+Frontpage successfully running in a > > > > > jail? I just > > > > > > > thought I'd ask before I spent (wasted?) a lot of time trying to > > > > > make it > > > > > > > work. > > > > > > >2) Can anyone suggest an alternative to Apache+Frontpage? I prefer > > > > > scp myself > > > > > > > (and there are even spiffy GUI scp clients for Windows) but many > > > > > of these > > > > > > > clients _insist_ on using Frontpage, so I _must_ continue to > > > cater to > > > > > > > them. > > > > > > > > > > > > > >TIA for any answers. > > > > > > > > > > > > > >-- > > > > > > >Bill Moran > > > > > > >Potential Technologies > > > > > > >http://www.potentialtech.com > > > > > > >_______________________________________________ > > > > > > >freebsd-questions@freebsd.org mailing list > > > > > > >http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > > > > > >To unsubscribe, send any mail to > > > > > "freebsd-questions-unsubscribe@freebsd.org" > > > > > > > > > > > > > > > > > > SimpleNet's Back ! > > > > > > http://www.simplenet.com > > > > > > _______________________________________________ > > > > > > freebsd-questions@freebsd.org mailing list > > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > > > > > To unsubscribe, send any mail to > > > > > "freebsd-questions-unsubscribe@freebsd.org" > > > > > > > > > > > > > > >-- > > > > >Bill Moran > > > > >Potential Technologies > > > > >http://www.potentialtech.com > > > > >_______________________________________________ > > > > >freebsd-questions@freebsd.org mailing list > > > > >http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > > > >To unsubscribe, send any mail to > > > "freebsd-questions-unsubscribe@freebsd.org" > > > > > > > > _______________________________________________ > > > > freebsd-questions@freebsd.org mailing list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > > > To unsubscribe, send any mail to > > > "freebsd-questions-unsubscribe@freebsd.org" > > > > > > > > >-- > > >Bill Moran > > >Potential Technologies > > >http://www.potentialtech.com > > >_______________________________________________ > > >freebsd-questions@freebsd.org mailing list > > >http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > > > -- > Bill Moran > Potential Technologies > http://www.potentialtech.com > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Bill Moran Potential Technologies http://www.potentialtech.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040610205927.4305773d.wmoran>