Apache2-ClickPath
view release on metacpan or search on metacpan
"ClickPathSecretIV"is a simple string of arbitrarylength. Thefirst 8 bytes of its MD5 digest are used as initialization vector.If omitted the string"abcd1234"is the IV."ClickPathSecret"isgivenas"http:","https:","file:"or"data:"URL. Thus the secret can be stored directly as data-URL in thehttpd.conf or in a separate file on thelocaldisk or on a possiblysecured server. To enable all modes of accessing the WEB thehttp(s)-URL syntax is a bit extented. Maybe you have already usedsyntax to specify a username and passwordforHTTP authentication.But how about proxies, SSL-authentication etc? Well, add anothercolon (:)afterthe password and append a semicolon (;) delimitedlist of"key=value"pairs. The special characters (@:;\) can bequotedwitha backslash (\). In fact, all characters can be quoted.Thus,"\a"and"a"produce the same string"a".The followingkeysaredefined:https_proxyhttps_proxy_usernamehttps_proxy_passwordhttps_versionhttps_cert_filehttps_key_filehttps_ca_filehttps_ca_dirhttps_pkcs12_filehttps_pkcs12_passwordtheir meaning isdefinedin Crypt::SSLeay.http_proxyhttp_proxy_usernamehttp_proxy_passwordthese are passed to LWP::UserAgent.Remember a HTTP-proxy is accessedwiththe GET or POST, ...methods whereas a HTTPS-proxy is accessedwithCONNECT. Don't mixthem, see Crypt::SSLeay.ExamplesClickPathSecret https://john:a\@b\;c\::https_ca_file=/my/ca.pem@secrethost.tld/bin/secret.pl?host=mefetches the secret fromusername and"a@b;c:"as password. The server certificate ofsecrethost.tld is verified against the CA certificate found in"/my/ca.pem".ClickPathSecret https://::https_pkcs12_file=/my/john.p12;https_pkcs12_password=a\@b\;c\:;https_ca_file=/my/ca.pem@secrethost.tld/bin/secret.pl?host=mefetches the secret again fromcertificate of secrethost.tld is again verified against the CAcertificate found in"/my/ca.pem".ClickPathSecret data:,password:very%20secret%20passwordhere a data-URL is used that produces the content "password:verysecret password".The URL's content is fetched by LWP::UserAgent once at serverstartup.Its content defines the secret either in binary form or as string ofhexadecimal characters or as a password. If it startswith"https://metacpan.org/pod/binary:">binary:"the rest of the content is taken as is as the key. If it startswith"hex:""pack( 'H*', $arg )"is used to convert it to binary. If itstartswith"https://metacpan.org/pod/password:">password:"orwithneither of them the MD5 digest ofthe rest of the content is used as secret.The Blowfish algorithm allows up to 56 bytes as secret. Inhexandbinary mode the starting 56 bytes are used. You can specify morebytes but they won't be regarded. In password mode the MD5 algorithmproduces 16 bytes long secret.Workingwitha load balancerMost load balancers are able tomapa request to a particular machinebased on a part of the request URI. They lookfora prefix followed by agivennumber of characters oruntila suffix is found. The stringbetween identifies the machine to route the request to.The name setwith"https://metacpan.org/pod/ClickPathMachine">ClickPathMachine"can be used by a load balancer. Itis immediately following the session prefix and finished by a single
lib/Apache2/ClickPath.pm view on Meta::CPAN
the key, C<ClickPathSecretIV> the initialization vector.C<ClickPathSecretIV> is a simple string of arbitrarylength. The first 8bytes of its MD5 digest are used as initialization vector. If omitted thestring C<abcd1234> is the IV.C<ClickPathSecret> isgivenas C<http:>, C<https:>, C<file:> or C<data:> URL.Thus the secret can be stored directly as data-URL in the httpd.conf or in aseparate file on thelocaldisk or on a possibly secured server. To enableall modes of accessing the WEB the http(s)-URL syntax is a bit extented.browsers allow this syntax to specify a username and passwordforHTTPauthentication. But how about proxies, SSL-authentication etc? Well, addanother colon (:)afterthe password and append a semicolon (;) delimitedlist of C<key=value> pairs. The special characters (@:;\) can be quotedwitha backslash (\). In fact, all characters can be quoted. Thus, C<\a> andC<a> produce the same string C<a>.The followingkeysaredefined:=over 2=item B<https_proxy>=item B<https_proxy_username>=item B<https_proxy_password>=item B<https_version>=item B<https_cert_file>=item B<https_key_file>=item B<https_ca_file>=item B<https_ca_dir>=item B<https_pkcs12_file>=item B<https_pkcs12_password>their meaning is defined in L<Crypt::SSLeay>.=item B<http_proxy>=item B<http_proxy_username>=item B<http_proxy_password>these are passed to L<LWP::UserAgent>.Remember a HTTP-proxy is accessed with the GET or POST, ... methods whereasa HTTPS-proxy is accessed with CONNECT. Don't mix them, see L<Crypt::SSLeay>.=backB<Examples>ClickPathSecret https://john:a\@b\;c\::https_ca_file=/my/ca.pem@secrethost.tld/bin/secret.pl?host=mefetches the secret from C<https://secrethost.tdl/bin/secret.pl?host=me>using C<john> as username and C<a@b;c:> as password. The server certificateof secrethost.tld is verified against the CA certificate found inC</my/ca.pem>.ClickPathSecret https://::https_pkcs12_file=/my/john.p12;https_pkcs12_password=a\@b\;c\:;https_ca_file=/my/ca.pem@secrethost.tld/bin/secret.pl?host=mefetches the secret again from C<https://secrethost.tdl/bin/secret.pl?host=me>using C</my/john.p12> as client certificate with C<a@b;c:> as password.The server certificate of secrethost.tld is again verified against the CAcertificate found in C</my/ca.pem>.ClickPathSecret data:,password:very%20secret%20passwordhere a data-URL is used that produces the contentC<password:very secret password>.The URL's content is fetched by L<LWP::UserAgent> once at server startup.Its content defines the secret either in binary form or as string ofhexadecimal characters or as a password. If it starts with C<binary:> therest of the content is taken as is as the key. If it starts with C<hex:>C<pack( 'H*', $arg )> is used to convert it to binary. If it starts withC<password:> or with neither of them the MD5 digest of the rest of thecontent is used as secret.The Blowfish algorithm allows up to 56 bytes as secret. In hex and binarymode the starting 56 bytes are used. You can specify more bytes but theywon't be regarded. In password mode the MD5 algorithm produces16 bytes long secret.=back=head2 Working with a load balancerMost load balancers are able to map a request to a particular machinebased on a part of the request URI. They look for a prefix followedby a given number of characters or until a suffix is found. The stringbetween identifies the machine to route the request to.
lib/Apache2/ClickPath/_parse.pm view on Meta::CPAN
my@auth=split/(?<!\\):/, $2, 3;if(length$auth[0] andlength$auth[1] ) {@ENV{qw{HTTP_USERNAME HTTP_PASSWORD}}=map{s!\\(.)!$1!g;$_}@auth[0,1];}foreachmy$el(split/(?<!\\);/,$auth[2]) {$el=~s!\\(.)!$1!g;if($el=~s/https_proxy=//i ) {$ENV{HTTPS_PROXY}=$el;}elsif($el=~s/https_proxy_username=//i ) {$ENV{HTTPS_PROXY_USERNAME}=$el;}elsif($el=~s/https_proxy_password=//i ) {$ENV{HTTPS_PROXY_PASSWORD}=$el;}elsif($el=~s/https_version=//i ) {$ENV{HTTPS_VERSION}=$el;}elsif($el=~s/https_cert_file=//i ) {$ENV{HTTPS_CERT_FILE}=$el;}elsif($el=~s/https_key_file=//i ) {$ENV{HTTPS_KEY_FILE}=$el;}elsif($el=~s/https_ca_file=//i ) {$ENV{HTTPS_CA_FILE}=$el;}elsif($el=~s/https_ca_dir=//i ) {$ENV{HTTPS_CA_DIR}=$el;}elsif($el=~s/https_pkcs12_file=//i ) {$ENV{HTTPS_PKCS12_FILE}=$el;}elsif($el=~s/https_pkcs12_password=//i ) {$ENV{HTTPS_PKCS12_PASSWORD}=$el;}elsif($el=~s/http_proxy=//i ) {$ua->proxy(http=>$el);}elsif($el=~s/http_proxy_username=//i ) {$ENV{HTTP_PROXY_USERNAME}=$el;}elsif($el=~s/http_proxy_password=//i ) {$ENV{HTTP_PROXY_PASSWORD}=$el;}}}$arg=~s!\\(.)!$1!gif($arg=~m#^https?://# );my$resp=$ua->get($arg);if($resp->code==200 ) {$arg=$resp->content;if($arg=~s/^binary:// ) {# blowfish keys are up to 56 bytes long$arg=substr($arg, 0, 56 )if(length($arg)>56 );}elsif($arg=~s/^hex:// ) {$arg=pack('H*',$arg);$arg=substr($arg, 0, 56 )if(length($arg)>56 );}elsif($arg=~s/^password:// ) {$arg=Digest::MD5::md5($arg);}else{$arg=Digest::MD5::md5($arg);}return$arg;}else{die"ERROR: ClickPathSecret: Cannot fetch secret from $arg\n";}}
( run in 0.322 second using v1.01-cache-2.11-cpan-3cd7ad12f66 )