Discussion:
using environment variable with mod_rewrite in apache 2.2
(too old to reply)
yamo'
2012-04-27 15:25:58 UTC
Permalink
Hi,

I want to use an environment variable created by mod_rewrite in an
apache configuration file. This variable may not be readable outside
mod_rewrite?

RewriteRule ^/git/(.*).git/(.*)/(.*) - [env=PROJET:$1]


It is to have a simple and dynamic configuration file for git by
authentication from an active directory by group.

I can write the value of this environment variable to a log file but I
can't do more!

LogFormat "%{PROJET}e %U" git
CustomLog logs/git_log git

In the <Location /git/> there's no environment variable which could be read?

I've tried %{PROJET} %{ENV:PROJET}...


mod_rewrite was the only module I've found which can do that, I do not
to rewrite the url, I only want to get the name of the project.



I tried for days and now I ask you if someone already did it?
--
Stéphane
Eli the Bearded
2012-04-27 20:10:33 UTC
Permalink
Post by yamo'
I want to use an environment variable created by mod_rewrite in an
apache configuration file. This variable may not be readable outside
mod_rewrite?
Works for me, if I put the CustomLog in the right spot. You didn't
include enough of your conf file to see how things were being used.

LogFormat "%{PROJET}e %U" git
CustomLog /home/user/temp/gitapache/badgit.log git

<VirtualHost *:8181>
ServerName a.localdomain
DocumentRoot /home/user/temp/gitapache/

RewriteEngine On
RewriteLog /home/user/temp/gitapache/rewrite.log
RewriteRule ^/git/(.*).git/(.*)/(.*) - [env=PROJET:$1]

CustomLog /home/user/temp/gitapache/goodgit.log git
ErrorDocument 404 "Thanks for all the fish."
</VirtualHost>

$ telnet localhost 8181
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /git/something.git/else/foo HTTP/1.0

HTTP/1.1 404 Not Found
Date: Fri, 27 Apr 2012 20:01:33 GMT
Server: Apache/2.2.14 (Ubuntu)
Content-Length: 24
Connection: close
Content-Type: text/html; charset=iso-8859-1

Thanks for all the fish.Connection closed by foreign host.
$ cat badgit.log
$ cat goodgit.log
something /git/something.git/else/foo
$

Elijah
------
isn't afraid to spin up test apache instances to test stuff
yamo'
2012-04-27 21:06:49 UTC
Permalink
Hi,
Post by Eli the Bearded
Works for me, if I put the CustomLog in the right spot. You didn't
include enough of your conf file to see how things were being used.
I will post the other lines of the configuration file on Monday.

My big problem it is that in the location area into the virtualhost, I
can't access to to the value of %{ENV:PROJET} in the errorlog file I
have %{ENV:PROJET}.

Thanks to have look at this problem.
--
Stéphane <http://pasdenom.info/fortune/?>
yamo'
2012-04-30 12:30:36 UTC
Permalink
Hi,
Post by Eli the Bearded
Post by yamo'
I want to use an environment variable created by mod_rewrite in an
apache configuration file. This variable may not be readable outside
mod_rewrite?
Works for me, if I put the CustomLog in the right spot. You didn't
include enough of your conf file to see how things were being used.
You can see my configuration file :



SetEnv GIT_PROJECT_ROOT /var/git-repositories/
SetEnv GIT_HTTP_EXPORT_ALL
<VirtualHost *:80>
Options All
RewriteEngine On
RewriteOptions Inherit


RewriteRule ^/git/(.*).git/(.*)/(.*) - [env=PROJET:$1]
LogLevel debug
LogFormat "%{PROJET}e %U" git
CustomLog logs/git_log git
RewriteLogLevel 3
RewriteLog logs/rewrite_log
<Location /git/>
AuthType Basic
AuthName "Private Git Access"
AuthzLDAPAuthoritative on
AuthzLDAPMethod ldap
AuthzLDAPProtocolVersion 3
AuthBasicProvider ldap
AuthLDAPUrl
"ldap://an_ldap_server:3268/DC=domain,DC=toplevel?sAMAccountName?sub?(objectclass=person)"
NONE
AuthLDAPBindDN "CN=bind user,CN=Users,DC=domain,DC=toplevel"
AuthLDAPBindPassword "secret"
Require ldap-group CN=%{PROJET},OU=ou,OU=ou,DC=domain,DC=toplevel
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
</Location>

</VirtualHost>
ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/


In git_log, I have the right value for %{PROJET}e.


The big problem is for the line Require ldap-group CN=%{PROJET} ...
where the variables are not replaced by the value:

error_log :
auth_ldap authorise: require group
"CN=%{PROJET},OU=ou,DC=domain,DC=toplevel": authorisation failed
[Comparison complete][No such object]


If also tested with that, just after RewriteRule, and VARPROJET is equal
to "%{PROJET}" and the value of PROJET...

SetEnvIf SERVER_ADDR the_ip_address VARPROJET=%{PROJET}
--
Stéphane
Eli the Bearded
2012-04-30 20:03:13 UTC
Permalink
Post by yamo'
RewriteRule ^/git/(.*).git/(.*)/(.*) - [env=PROJET:$1]
...
Post by yamo'
LogFormat "%{PROJET}e %U" git
CustomLog logs/git_log git
...
Post by yamo'
Require ldap-group CN=%{PROJET},OU=ou,OU=ou,DC=domain,DC=toplevel
...
Post by yamo'
In git_log, I have the right value for %{PROJET}e.
Which was what you initially complained about not working.
Post by yamo'
The big problem is for the line Require ldap-group CN=%{PROJET} ...
auth_ldap authorise: require group
"CN=%{PROJET},OU=ou,DC=domain,DC=toplevel": authorisation failed
[Comparison complete][No such object]
When Apache starts up, environment variables get subsituted in the
config commands. A feature of mod_log_config is to expand variables
at the time logs get written, and for that it uses a special syntax
not interpreted as environment to the rest of Apache: the "%{name}e"
syntax. I'm not sure if mod_authz will expand variables on each
request. But if does, they should be in proper format: the "${name}"
syntax. Does this work for you:

Require ldap-group CN=${PROJET},OU=ou,OU=ou,DC=domain,DC=toplevel

(You need to make sure that $PROJET is *not* in the environment when
starting Apache or else it will get substituted at startup.)

Elijah
------
it looks like mod_authnz_ldap.c does check environment per request
yamo'
2012-05-02 13:38:22 UTC
Permalink
Hi,
Post by Eli the Bearded
Post by yamo'
RewriteRule ^/git/(.*).git/(.*)/(.*) - [env=PROJET:$1]
...
Post by yamo'
LogFormat "%{PROJET}e %U" git
CustomLog logs/git_log git
...
Post by yamo'
Require ldap-group CN=%{PROJET},OU=ou,OU=ou,DC=domain,DC=toplevel
...
Post by yamo'
In git_log, I have the right value for %{PROJET}e.
Which was what you initially complained about not working.
No, I wrote that in first post <jnedpc$81r$***@nntp.pasdenom.info>, sorry
if I was not clear enough, I'm not fluent in English :

It is to have a simple and dynamic configuration file for git by
authentication from an active directory by group.

I can write the value of this environment variable to a log
file but I can't do more!
Post by Eli the Bearded
When Apache starts up, environment variables get subsituted in the
config commands. A feature of mod_log_config is to expand variables
at the time logs get written, and for that it uses a special syntax
not interpreted as environment to the rest of Apache: the "%{name}e"
syntax. I'm not sure if mod_authz will expand variables on each
request. But if does, they should be in proper format: the "${name}"
Require ldap-group
CN=${PROJET},OU=ou,OU=ou,DC=domain,DC=toplevel
I've also tested with your advice, and the result is the same. I think I
had already tested it before but I've tested a lot of possibilities so I
can't remember all the tests that I've done...
Post by Eli the Bearded
(You need to make sure that $PROJET is *not* in the environment when
starting Apache or else it will get substituted at startup.)
By using phpinfo, I don't see the PROJET variable, I don't know if
there's a best method to do that.
Post by Eli the Bearded
Elijah
------
it looks like mod_authnz_ldap.c does check environment per request
I read the paragraph "Using Environment Variables", mod_authnz_ldap not
use environment variables : <http://httpd.apache.org/docs/2.2/env.html> :-(
--
Stéphane
Loading...