DevHeads.net

Postings by Marat Khalili

On proxy insert header from database using client certificate CN as a key

Dear all,

I'd like to perform the following task on Apache proxy:
* take some value from client certificate (either common name or email);
* query some database by this value as a key;
* use resulting value in a new header inserted into connection.

Is it possible to solve it using only Apache modules? What modules
should I look into?

(Plan B is to pre-generate Apache config with many If's on
%{SSL:SSL_CLIENT_S_DN_CN}, but of course I'd like cleaner solution.)

Update OCSP stapling response in advance

Dear list,
good time of the day,

Is it possible to make Apache start requesting fresh OCSP response some
time before previous one expires, in order to prevent outages due to
poor OCSP server availability? SSLStaplingResponseMaxAge directive looks
promising, but will it return older response if fresh one cannot be
obtained, or will it just fail?

(Sorry if discussed earlier, I remember something along these lines, but
don't remember of some solution or workaround was found.)

hostname in aliases.db

I've got the following problem which is not critical but still
interesting. I'm cloning an LXC container which optionally can contain
postfix installation. After cloning the filesystem there's a number of
places I need to change the hostname in.

I used grep to search for these places and unexpectedly found mentioning
of hostname in /etc/aliases.db, even though /etc/aliases does not
include it.

AAAA requests on IPv6-disconnected system: bug of feature?

Postfix is installed as forwarder to a fixed relay in a system with no
IPv6 addresses (disabled system-wide by net.ipv6.conf.*.disable_ipv6
lines in sysctl). Still, for each message it separately requests both A
and AAAA records of the relay from DNS, as I verified by tcpdump. Is it
a bug or feature?

Automatically substitute FQDN of local system in config

Dear all,

I'm having trouble creating Postfix config (main.cf) without explicitly
writing domain name in it. I'd like both myhostname and mydomain
automatically set to output of `hostname -f` or contents of
/etc/mailname. However, whatever combinations of myorigin, mydomain and
myhostname I define, I either receive errors or values like
`hostname`.localdomain. Is it impossible, or am I missing some working
combination?

I'm using Postfix 3.1.0-3 under Ubuntu 16.04.

ProxyPreserveHost doesn't work with SSL

Dear all,

I'm reverse proxying requests on Apache/2.4.18 (stock version on Ubuntu
16.04) via SSL to an application running on IIS 7.0. Somehow, despite
ProxyPreserveHost, IIS app manages to sniff IP-address 10.1.2.3
specified in ProxyPass (see below) and breaks. If I replace 10.1.2.3
with myapp.com and put "10.1.2.3 myapp.com" in /etc/hosts everything
works (but I don't like the solution).

Because of SSL the problem is somewhat hard to debug, can't just packet
trace.

WebDAV reverse proxy SLOW

Dear all,

I'm configuring a reverse proxy with configuration provided below, for
Apache 2.4 for Windows (I'm trying to bypass Windows authentication
dialogs this way). It works, but file browsing is very slow: listing
three files in a folder takes several seconds, dir /b/s comes line after
line, and doesn't improve. In contrast, same WebDAV resource connected
directly or via NetDrive utility is quite responsive. I suspect Apache
does not reuse connections or similar problems, but can't find more
parameters to tune. Please advise.