x-vdirs without effect, Aliases not working in Lucee 5
77 views
Skip to first unread message
Markus Wollny
Jul 29, 2016, 8:08:40 PM7/29/16
to mod_cfml
Hi,
I was under the assumption that there should be some sort of magic going on either with the Tomcat valve component or with Lucee, that would honour any Alias configuration inside an Apache VirtualHost. This seems to not be the case.
I have a directory /var/www/aliasdirs/webserver/example/
There are two files in this directory:
/var/www/aliasdirs/webserver/example/index.cfm
/var/www/aliasdirs/webserver/example/foo.txt
I have an Alias directive set up in the VirtualHost for luceetest.somehost.tld pointing /aliasdir/ to /var/www/aliasdirs/webserver/. The DocumentRoot for this VirtualHost ist pointing to /var/www/_luceedev/webserver/
When I browse to http://luceetest.somehost.tld/aliasdir/example/foo.txt, I get the correct file served by Apache.
When instead I try http://luceetest.somehost.tld/aliasdir/example/index.cfm I get a MissingIncludeException from Lucee, saying it cannot find /var/www/_luceedev/webserver/aliasdir/example/index.cfm, i.e. it is trying to access the path in the DocumentRoot, ignoring the Alias.
I have turned on logging in both Apache and Tomcat; I have slightly renamed and/or deleted paths, Cookie values and shared key for security reasons and in order to keep the log-snippets small enough.
From the Apache-side, everything seems to be communicated alright, here are the relevant lines from the Apache log:
[Tue Jul 26 11:18:20.074213 2016] [modcfml:notice] [pid 17234] Handler Pattern Found => .cfm
[Tue Jul 26 11:18:20.074233 2016] [modcfml:notice] [pid 17234] Pattern Match TRUE: extension [.cfm] matches handler [.cfm]
[Tue Jul 26 11:18:20.074237 2016] [modcfml:notice] [pid 17234] Handler Pattern Found => .cfc
[Tue Jul 26 11:18:20.074239 2016] [modcfml:notice] [pid 17234] Handler Pattern Found => .cfml
[Tue Jul 26 11:18:20.074252 2016] [modcfml:notice] [pid 17234] Printing aliases: [2] found
[Tue Jul 26 11:18:20.074320 2016] [modcfml:notice] [pid 17234] 0. Alias: [/example/] -> [/var/www/aliasdirs/webserver/example/]
[Tue Jul 26 11:18:20.074326 2016] [modcfml:notice] [pid 17234] 1. Alias: [/icons/] -> [/usr/share/apache2/icons/]
[Tue Jul 26 11:18:20.074337 2016] [modcfml:notice] [pid 17234] URI => /aliasdir/example/index.cfm, filename => index.cfm
[Tue Jul 26 11:18:20.074340 2016] [modcfml:notice] [pid 17234] Incoming header [Host] => luceetest.somehost.tld
[Tue Jul 26 11:18:20.074342 2016] [modcfml:notice] [pid 17234] Incoming header [Connection] => keep-alive
[Tue Jul 26 11:18:20.074345 2016] [modcfml:notice] [pid 17234] Incoming header [Pragma] => no-cache
[Tue Jul 26 11:18:20.074347 2016] [modcfml:notice] [pid 17234] Incoming header [Cache-Control] => no-cache
[Tue Jul 26 11:18:20.074349 2016] [modcfml:notice] [pid 17234] Incoming header [Upgrade-Insecure-Requests] => 1
[Tue Jul 26 11:18:20.074351 2016] [modcfml:notice] [pid 17234] Incoming header [User-Agent] => Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
[Tue Jul 26 11:18:20.074354 2016] [modcfml:notice] [pid 17234] Incoming header [Accept] => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
[Tue Jul 26 11:18:20.074357 2016] [modcfml:notice] [pid 17234] Incoming header [Accept-Encoding] => gzip, deflate, sdch
[Tue Jul 26 11:18:20.074359 2016] [modcfml:notice] [pid 17234] Incoming header [Accept-Language] => de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
[Tue Jul 26 11:18:20.074361 2016] [modcfml:notice] [pid 17234] Incoming header [Cookie] => cb-enabled=accepted; LUCEE_ADMIN_LANG=en;
[Tue Jul 26 11:18:20.074366 2016] [modcfml:notice] [pid 17234] Incoming header [X-Tomcat-DocRoot] => /var/www/_luceedev/webserver/
[Tue Jul 26 11:18:20.074368 2016] [modcfml:notice] [pid 17234] Incoming header [X-Webserver-Context] => luceetest-somehost-tld-luceetest-somehost-tld-confl2
[Tue Jul 26 11:18:20.074370 2016] [modcfml:notice] [pid 17234] Incoming header [X-ModCFML-SharedKey] => someSharedKey
[Tue Jul 26 11:18:20.074373 2016] [modcfml:notice] [pid 17234] Incoming header [x-vdirs] => /example,/var/www/aliasdirs/webserver/example;/icons,/usr/share/apache2/icons;
catalina.out is somewhat inconclusive:
[mod_cfml] Counters have been reset (maxContexts, timeBetweenContexts)
[mod_cfml] Decoded Request URI => /aliasdir/example/index.cfm
[mod_cfml] QueryString => null
[mod_cfml] DocRoot Value => /var/www/_luceedev/webserver/
[mod_cfml] Webserver main Host => luceetest-somehost-tld-luceetest-somehost-tld-confl2
[mod_cfml] Alias Value => luceetest.somehost.tld
[mod_cfml] New contextRecord Array initialized...
[mod_cfml] lastContext = null
[mod_cfml] throttleValue = 0
[mod_cfml] Removing old config directory: /opt/apache-tomcat-8.5.3/conf/Catalina/luceetest-somehost-tld-luceetest-somehost-tld-confl2
[mod_cfml] Creating new config directory: /opt/apache-tomcat-8.5.3/conf/Catalina/luceetest-somehost-tld-luceetest-somehost-tld-confl2
[mod_cfml] Removing old work directory: /opt/apache-tomcat-8.5.3/work/Catalina/luceetest-somehost-tld-luceetest-somehost-tld-confl2
[mod_cfml] Creating context file: /opt/apache-tomcat-8.5.3/conf/Catalina/luceetest-somehost-tld-luceetest-somehost-tld-confl2/ROOT.xml
[mod_cfml] Creating New Host...
[mod_cfml] setName Value => luceetest-somehost-tld-luceetest-somehost-tld-confl2
26-Jul-2016 11:18:18.623 INFO [luceetest-somehost-tld-luceetest-somehost-tld-confl2-startStop-1] org.apache.catalina.startup.HostConfig.deployDescriptor Deploying configuration descriptor /opt/apache-tomcat-8.5.3/conf/Catalina/luceetest-somehost-tld-luceetest-somehost-tld-confl2/ROOT.xml
===================================================================
WEB CONTEXT (e9bfb90c9e4b1da6d1ee69b811ca20dd)
-------------------------------------------------------------------
- config:/var/lucee/config/web/e9bfb90c9e4b1da6d1ee69b811ca20dd (custom setting)
- webroot:/var/www/_luceedev/webserver/
- hash:e9bfb90c9e4b1da6d1ee69b811ca20dd
- label:e9bfb90c9e4b1da6d1ee69b811ca20dd
===================================================================
[mod_cfml] Verifying context files...
[mod_cfml] Redirect URL => '/aliasdir/example/index.cfm'
Lucee is not at all affected by the x-vdirs-header, it searches for the aliased directory below the document root and throws an exception:
"ERROR","ajp-nio-8009-exec-2","07/26/2016","11:18:26","",";Page /aliasdir/example/index.cfm [/var/www/_luceedev/webserver/aliasdir/example/index.cfm] not found;lucee.runtime.exp.MissingIncludeException: Page /aliasdir/example/index.cfm [/var/www/_luceedev/webserver/aliasdir/example/index.cfm] not found
I have tried with both SharedKey set and omitted (on both sides), so that's not it. Lucee version is 5.0.0.252. As a connector I am using mod_jk with this config:
JkMount /*.jsp ajp13_worker JkMount /*.cfm ajp13_worker JkMount /*.cfc ajp13_worker JkMount /*.cfml ajp13_worker JkMount /*.cfchart ajp13_worker <Location /lucee/admin> Order Deny,Allow Deny from all Allow from 127.0.0.1 AuthName "Lucee" AuthType Basic AuthUserFile /etc/apache2/lucee-admin.passwords Require valid-user Satisfy any </Location>
libapache2-mod-jk is 1.2.37-4+deb8u1 from Debian Jessie. Tomcat is Version 8.5.3.
In order to save myself from having WEB-INF directories sprinkled all over the place, I have slightly changed the servlet configuration for Lucee to have them point to a special path:
<servlet> <servlet-name>CFMLServlet</servlet-name> <description>CFML runtime Engine</description> <servlet-class>lucee.loader.servlet.CFMLServlet</servlet-class> <init-param> <param-name>lucee-server-directory</param-name> <param-value>/var/lucee/config/server/</param-value> <description>Lucee Server configuration directory (for Server-wide configurations, settings, and libraries)</description> </init-param> <init-param> <param-name>lucee-web-directory</param-name> <param-value>/var/lucee/config/web/{web-context-label}/</param-value> <description>Lucee Web Directory (for Website-specific configurations, settings, and libraries)</description> </init-param> <load-on-startup>1</load-on-startup> </servlet>
Except for this, everything else is configured just like it should. CFML-files are being served alright from the DocumentRoot. Just no luck at all with Aliases.
The same applies to any other Alias, for example the /icons/-Alias - static files are served alright, whereas anything that's handed over via mod_jk to Tomcat/Lucee is being searched under the DocumentRoot, where it throws a MissingIncludeException.
Is this not supposed to work at all? I am still somewhat mystified as to who or what exactly is responsible for dealing with the x-vdirs header in the expected manner.
Kind regards
Markus
Jordan Michaels
Jul 29, 2016, 9:52:16 PM7/29/16
to mod cfml
Hi Markus,
I don't believe the x-vdir support is 100% yet. Check the following thread:
https://groups.google.com/forum/#!msg/lucee/1jiTZWL5Zg8/ZwXCRGz7DgAJ
and the subsequent feature request:
https://luceeserver.atlassian.net/browse/LDEV-694
--
Kind regards,
Jordan Michaels
Vivio Technologies
--
You received this message because you are subscribed to the Google Groups "mod_cfml" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod_cfml+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
I don't believe the x-vdir support is 100% yet. Check the following thread:
https://groups.google.com/forum/#!msg/lucee/1jiTZWL5Zg8/ZwXCRGz7DgAJ
and the subsequent feature request:
https://luceeserver.atlassian.net/browse/LDEV-694
--
Kind regards,
Jordan Michaels
Vivio Technologies
You received this message because you are subscribed to the Google Groups "mod_cfml" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod_cfml+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Paul Klinkenberg
Aug 1, 2016, 4:03:46 AM8/1/16
to mod_...@googlegroups.com
Hi Markus,
Jordan is exactly right. We would like to have it automated, but Lucee has not implemented the necessary changes for it yet, or at least not updated the ticket in 6 months.
You could vote for the issue https://luceeserver.atlassian.net/browse/LDEV-694 to make it a little bit more clear people are wanting this, maybe leave a comment.
As a workaround, you could add the mappings on the request level, in onRequestStart of your Application.cfc:
local.aMappings = listToArray(cgi['x-vdirs'], ';');
loop array="#local.aMappings#" index="local.i" item="local.mapping" {
this.mappings[listFirst(local.mapping, ",")] = listRest(local.mapping, ",");
}
But this code has a security issue: if an attacker would do an http request with a self-supplied x-vdirs header directly to your tomcat instance (not going through port 80, but instead port 8080/8888), then he would be able to create arbitrary mappings, and being able to read any file on the server (as long as he could guess the file's location)
If you have tomcat locked down (only accesible from the lcoal machine), then this should not be a problem, since mod_cfml on the Apache side will remove any incoming x-vdirs header, to prevent this from happening.
Kind regards,
Paul Klinkenberg
Markus Wollny
Aug 2, 2016, 1:18:10 PM8/2/16
to mod_cfml
Hi,
Thanks for clearing that up, I somehow missed this discussion earlier on. This would surely make mod_cfml much more versatile than it is now, as the current situation with regards to aliases (and mod_rewrites for that matter) is more or less a showstopper for us - I already added my vote to the issue LDEV-694. Anyhow, I'm going to ditch mod_cfml for now and opt for a single context setup with some mod_proxy_ajp/mod_rewrite toppings and a root-mapping in the Application.cfcs, which currently seems to be the best one can do to come next to ACF connector magic.
For those who may find this relevant to their use-case, I built on the advice here http://www.gpickin.com/index.cfm/blog/apache-and-tomcat-save-yourself-the-xml-editing-no-more-tomcat-restarts
If you combines this with mod_rewrite, you can really emulate everything you had with ACF and, apart from the single web context, which I believe is what ACF does as well, no downsides that I know of:
So for SEO-URLs for example, we do something like
RewriteCond %{REQUEST_URI} !.*\.(css|jpg|gif|zip|js|swf|ico|png)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) ajp://localhost:8009/relative/path/to/contextroot/index.cfm?r=$1&%{QUERY_STRING} [P,L,env=AJP_REDIRECT_REAL_URL:$1]
The AJB-prefix to the environment variable makes mod_proxy_ajp pass this on to Tomcat (dropping the prefix). Now to build your router you can access the path passed to the webserver in URL.r and for completeness check CGI.REDIRECT_REAL_URL for the original path that was sent by the client-request in order to decide on redirect/noindex/canonical-strategies. In ACF that last line would have been somewhat simpler:
RewriteRule (.*) /?r=$1&%{QUERY_STRING} [PT,L,env=REAL_URL:$1]
Anyway, the conversion is really quite straightforward. You'll need one such corresponding ProxyPassMatch directive or a RewriteRule with the P-flag for each CFML-enabled DocumentRool or Alias directive in your Apache configuration, but you won't need to touch the Tomcat configuration at all after the initial setup op the global context, not even for any changes to Alias- or DocumentRool paths and you're basically unlimited in your options to twist and mangle requests with mod_rewrite.
I'll follow the progress of both mod_cfml and the Lucee issue LDEV-694, as I do agree that this would be a big win - anything that looks like a showstopper for an ACF migration surely is. But for the time being I guess I am happy with the current state of affairs using this alternative approach.
Kind regards
Markus
Reply all
Reply to author
Forward
0 new messages