Apache2-ClickPath
view release on metacpan or search on metacpan
"ClickPathSecretIV" is a simple string of arbitrary length. The
first 8 bytes of its MD5 digest are used as initialization vector.
If omitted the string "abcd1234" is the IV.
"ClickPathSecret" is given as "http:", "https:", "file:" or "data:"
URL. Thus the secret can be stored directly as data-URL in the
httpd.conf or in a separate file on the local disk or on a possibly
secured server. To enable all modes of accessing the WEB the
http(s)-URL syntax is a bit extented. Maybe you have already used
"http://user:password@server.tld/...". Many browsers allow this
syntax to specify a username and password for HTTP authentication.
But how about proxies, SSL-authentication etc? Well, add another
colon (:) after the password and append a semicolon (;) delimited
list of "key=value" pairs. The special characters (@:;\) can be
quoted with a backslash (\). In fact, all characters can be quoted.
Thus, "\a" and "a" produce the same string "a".
The following keys are defined:
https_proxy
https_proxy_username
https_proxy_password
https_version
https_cert_file
https_key_file
https_ca_file
https_ca_dir
https_pkcs12_file
https_pkcs12_password
their meaning is defined in Crypt::SSLeay.
http_proxy
http_proxy_username
http_proxy_password
these are passed to LWP::UserAgent.
Remember a HTTP-proxy is accessed with the GET or POST, ...
methods whereas a HTTPS-proxy is accessed with CONNECT. Don't mix
them, see Crypt::SSLeay.
Examples
ClickPathSecret https://john:a\@b\;c\::https_ca_file=/my/ca.pem@secrethost.tld/bin/secret.pl?host=me
fetches the secret from
"https://secrethost.tdl/bin/secret.pl?host=me" using "john" as
username and "a@b;c:" as password. The server certificate of
secrethost.tld is verified against the CA certificate found in
"/my/ca.pem".
ClickPathSecret https://::https_pkcs12_file=/my/john.p12;https_pkcs12_password=a\@b\;c\:;https_ca_file=/my/ca.pem@secrethost.tld/bin/secret.pl?host=me
fetches the secret again from
"https://secrethost.tdl/bin/secret.pl?host=me" using "/my/john.p12"
as client certificate with "a@b;c:" as password. The server
certificate of secrethost.tld is again verified against the CA
certificate found in "/my/ca.pem".
ClickPathSecret data:,password:very%20secret%20password
here a data-URL is used that produces the content "password:very
secret password".
The URL's content is fetched by LWP::UserAgent once at server
startup.
Its content defines the secret either in binary form or as string of
hexadecimal characters or as a password. If it starts with "binary:"
the rest of the content is taken as is as the key. If it starts with
"hex:" "pack( 'H*', $arg )" is used to convert it to binary. If it
starts with "password:" or with neither of them the MD5 digest of
the rest of the content is used as secret.
The Blowfish algorithm allows up to 56 bytes as secret. In hex and
binary mode the starting 56 bytes are used. You can specify more
bytes but they won't be regarded. In password mode the MD5 algorithm
produces 16 bytes long secret.
Working with a load balancer
Most load balancers are able to map a request to a particular machine
based on a part of the request URI. They look for a prefix followed by a
given number of characters or until a suffix is found. The string
between identifies the machine to route the request to.
The name set with "ClickPathMachine" can be used by a load balancer. It
is immediately following the session prefix and finished by a single
lib/Apache2/ClickPath.pm view on Meta::CPAN
the key, C<ClickPathSecretIV> the initialization vector.
C<ClickPathSecretIV> is a simple string of arbitrary length. The first 8
bytes of its MD5 digest are used as initialization vector. If omitted the
string C<abcd1234> is the IV.
C<ClickPathSecret> is given as C<http:>, C<https:>, C<file:> or C<data:> URL.
Thus the secret can be stored directly as data-URL in the httpd.conf or in a
separate file on the local disk or on a possibly secured server. To enable
all modes of accessing the WEB the http(s)-URL syntax is a bit extented.
Maybe you have already used C<http://user:password@server.tld/...>. Many
browsers allow this syntax to specify a username and password for HTTP
authentication. But how about proxies, SSL-authentication etc? Well, add
another colon (:) after the password and append a semicolon (;) delimited
list of C<key=value> pairs. The special characters (@:;\) can be quoted
with a backslash (\). In fact, all characters can be quoted. Thus, C<\a> and
C<a> produce the same string C<a>.
The following keys are defined:
=over 2
=item B<https_proxy>
=item B<https_proxy_username>
=item B<https_proxy_password>
=item B<https_version>
=item B<https_cert_file>
=item B<https_key_file>
=item B<https_ca_file>
=item B<https_ca_dir>
=item B<https_pkcs12_file>
=item B<https_pkcs12_password>
their meaning is defined in L<Crypt::SSLeay>.
=item B<http_proxy>
=item B<http_proxy_username>
=item B<http_proxy_password>
these are passed to L<LWP::UserAgent>.
Remember a HTTP-proxy is accessed with the GET or POST, ... methods whereas
a HTTPS-proxy is accessed with CONNECT. Don't mix them, see L<Crypt::SSLeay>.
=back
B<Examples>
ClickPathSecret https://john:a\@b\;c\::https_ca_file=/my/ca.pem@secrethost.tld/bin/secret.pl?host=me
fetches the secret from C<https://secrethost.tdl/bin/secret.pl?host=me>
using C<john> as username and C<a@b;c:> as password. The server certificate
of secrethost.tld is verified against the CA certificate found in
C</my/ca.pem>.
ClickPathSecret https://::https_pkcs12_file=/my/john.p12;https_pkcs12_password=a\@b\;c\:;https_ca_file=/my/ca.pem@secrethost.tld/bin/secret.pl?host=me
fetches the secret again from C<https://secrethost.tdl/bin/secret.pl?host=me>
using C</my/john.p12> as client certificate with C<a@b;c:> as password.
The server certificate of secrethost.tld is again verified against the CA
certificate found in C</my/ca.pem>.
ClickPathSecret data:,password:very%20secret%20password
here a data-URL is used that produces the content
C<password:very secret password>.
The URL's content is fetched by L<LWP::UserAgent> once at server startup.
Its content defines the secret either in binary form or as string of
hexadecimal characters or as a password. If it starts with C<binary:> the
rest of the content is taken as is as the key. If it starts with C<hex:>
C<pack( 'H*', $arg )> is used to convert it to binary. If it starts with
C<password:> or with neither of them the MD5 digest of the rest of the
content is used as secret.
The Blowfish algorithm allows up to 56 bytes as secret. In hex and binary
mode the starting 56 bytes are used. You can specify more bytes but they
won't be regarded. In password mode the MD5 algorithm produces
16 bytes long secret.
=back
=head2 Working with a load balancer
Most load balancers are able to map a request to a particular machine
based on a part of the request URI. They look for a prefix followed
by a given number of characters or until a suffix is found. The string
between identifies the machine to route the request to.
lib/Apache2/ClickPath/_parse.pm view on Meta::CPAN
my @auth=split /(?<!\\):/, $2, 3;
if( length $auth[0] and length $auth[1] ) {
@ENV{qw{HTTP_USERNAME HTTP_PASSWORD}}=map {s!\\(.)!$1!g; $_} @auth[0,1];
}
foreach my $el (split /(?<!\\);/, $auth[2]) {
$el=~s!\\(.)!$1!g;
if( $el=~s/https_proxy=//i ) {
$ENV{HTTPS_PROXY}=$el;
} elsif( $el=~s/https_proxy_username=//i ) {
$ENV{HTTPS_PROXY_USERNAME}=$el;
} elsif( $el=~s/https_proxy_password=//i ) {
$ENV{HTTPS_PROXY_PASSWORD}=$el;
} elsif( $el=~s/https_version=//i ) {
$ENV{HTTPS_VERSION}=$el;
} elsif( $el=~s/https_cert_file=//i ) {
$ENV{HTTPS_CERT_FILE}=$el;
} elsif( $el=~s/https_key_file=//i ) {
$ENV{HTTPS_KEY_FILE}=$el;
} elsif( $el=~s/https_ca_file=//i ) {
$ENV{HTTPS_CA_FILE}=$el;
} elsif( $el=~s/https_ca_dir=//i ) {
$ENV{HTTPS_CA_DIR}=$el;
} elsif( $el=~s/https_pkcs12_file=//i ) {
$ENV{HTTPS_PKCS12_FILE}=$el;
} elsif( $el=~s/https_pkcs12_password=//i ) {
$ENV{HTTPS_PKCS12_PASSWORD}=$el;
} elsif( $el=~s/http_proxy=//i ) {
$ua->proxy( http=>$el );
} elsif( $el=~s/http_proxy_username=//i ) {
$ENV{HTTP_PROXY_USERNAME}=$el;
} elsif( $el=~s/http_proxy_password=//i ) {
$ENV{HTTP_PROXY_PASSWORD}=$el;
}
}
}
$arg=~s!\\(.)!$1!g if( $arg=~m#^https?://# );
my $resp=$ua->get( $arg );
if( $resp->code==200 ) {
$arg=$resp->content;
if( $arg=~s/^binary:// ) {
# blowfish keys are up to 56 bytes long
$arg=substr( $arg, 0, 56 ) if( length($arg)>56 );
} elsif( $arg=~s/^hex:// ) {
$arg=pack( 'H*', $arg );
$arg=substr( $arg, 0, 56 ) if( length($arg)>56 );
} elsif( $arg=~s/^password:// ) {
$arg=Digest::MD5::md5( $arg );
} else {
$arg=Digest::MD5::md5( $arg );
}
return $arg;
} else {
die "ERROR: ClickPathSecret: Cannot fetch secret from $arg\n";
}
}
( run in 0.441 second using v1.01-cache-2.11-cpan-3cd7ad12f66 )