Berkeley CSUA MOTD:Entry 22984
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/07/08 [General] UID:1000 Activity:popular
7/8     

2001/11/9 [Computer/Networking, Computer/SW/OS/Windows] UID:22984 Activity:kinda low
11/8    Is there a way to do access control lists using .htaccess files in
        apache?  I want to do something like if src IP is A then redirect
        to this URL.  if src IP is B, deny.  If src IP is C, then permit.
        That kind of stuff.  I've been getting a lot of hits that try to
        execute cmd.exe or some other NT stuff.  To exploit IIS. But my server
        is a unix box.  They're getting to be annoying and I want to filter
        them out.  Thanks.
        \_ You can certainly block certain IP addresses using the Allow
           and Deny directives.  Don't know if .htaccess does redirects
           based on IP address.  You should go on google and type in
           "htaccess allow deny".
        \_ You can do anything you want (almost) with mod_rewrite (it's one
           of the standard modules).  Check out:
           http://httpd.apache.org/docs/mod/mod_rewrite.html    --dbushong

        [MOTD partially restored; apparently someone thought
         it was too long - boo-hoo....]
2025/07/08 [General] UID:1000 Activity:popular
7/8     

You may also be interested in these entries...
2013/12/28 [Computer/SW/Security] UID:54760 Activity:nil
12/28   Happy holidays everyone.
        For some reason my work's ip address gets logged in /etc/hosts.deny and\
I cannot ssh in anymore from work
        (except from home where I can ssh in fine): anyone knows if this file is\
 auto-generated due to some event? Thanks
	...
2009/12/3-26 [Computer/Companies/Google] UID:53563 Activity:nil
12/2    Google launches its own DNS. Google Public DNS:
        http://code.google.com/speed/public-dns
        8.8.8.8 and 8.8.4.4
        Kick ass!
        \_ http://radoff.com/blog/2009/12/07/google-dns-benchmarking-and-rationale
        \_ I get 1.7ms pings to 4.2.2.2 and 23ms pings to 8.8.8.8.
	...
2009/11/4-17 [Computer/SW/P2P, Computer/Networking, Computer/SW/Security] UID:53495 Activity:nil
11/4    Holy cow, I got a warning from my ISP that they were notified
        by BSA/baytsp.com that I was copying music/video/software.
        Do they do port scan or something? That's a first for me.
        \_ They hang out on P2P networks and track IP addresses.  -tom
           \_ I believe they are paid by content providers to perform this
              monitoring service, so you should only run this risk with content
	...
2008/12/15 [Computer/Companies/Ebay] UID:52251 Activity:moderate
12/14   Got really screwed by this eBay buyer (says he'll pay, then
        waits, then says he'll pay by check, then makes up a story,
        then at the end says you're rude and doesn't want to pay
        anymore). eBay refuses to do anything about it. WTF? What
        is the best way to get back at this guy?
        \_ That's hardly "really screwed."  You still have the item, right.
	...
2008/11/7-13 [Computer/Networking] UID:51876 Activity:low
11/7    Need help on http proxy. After I VPN to work, I'd like to tunnel
        all the traffic to my machine. How do I setup my machine (Linux)
        as a proxy server so that my home computers can route through it?
        I'm asking because the site we're testing on requires that we
        come from the same IP. If I use VPN, the server will reject me
        based on the fact that it's a different IP than my work Linux.
	...
2008/8/5-10 [Computer/Networking] UID:50788 Activity:nil
8/5     It looks like my company has started blocking HTTPS tunneling.
        I used to do this by tunneling SSH through the HTTP/HTTPS proxy
        server, but this seems to have stopped working. Does anyone know
        how the implementation of tunneling detection works, and whether
        there are widely available implementations? We run a bunch of MS
        stuff, so I imagine we're running an MS proxy server or something.
	...
2008/7/14-16 [Computer/SW/Languages/Perl, Computer/SW/Unix] UID:50557 Activity:moderate
7/14    Shell Programming question: I want to call a script with 1 arg
        and have it figure out whether $1 is a MAC address or an IP address
        and then do call the appropriate function.  What is the best way
        to do this, given that sh/bash/ksh do not have something like
        the =~ in perl.  Check for exit status of grep, or is there a
        a better way?  For the moment, let's just say the two tests are:
	...
2008/12/5-10 [Computer/SW/OS/OsX] UID:52174 Activity:kinda low
12/5    I suggest CSUA buy a Mac and run MacOS on it. Maybe run Linux in
        a VM, too. I think students will get more bang for their buck
        trying to run services on MacOS than with "Just Another Linux Box".
        \_ On what basis? We do have an AppleTV, which we've yet to hack
           so it runs full OS X, but as a OS X user myself, I don't see the
           OS being useful for useful services except if we get OS X server
	...
2007/7/17 [Computer/SW/Languages/C_Cplusplus] UID:47312 Activity:nil
7/13    CSUA Life Roster
1 point each for:                                               key:
                significant other (out of county rule applies)   G
                car (Chevy Novas do count)                       C
                housing (dorms DO NOT count)                     H
                own computer running reasonable multi-tasking OS U
	...
2007/4/13-16 [Computer/SW/WWW/Browsers] UID:46291 Activity:nil
4/13    I use IE7 to browse a web site, and the server says the UserAgent
        string is
        "UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET
        CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
        Is MS bowing to the Mozilla community?
        \_ What are you talking about?  IE has always reported its UserAgent
	...
2006/7/26-30 [Computer/SW/OS/OsX] UID:43811 Activity:nil
7/26    Are there any good solutions for multiple simultaneous remote logins
        to a Mac? I'm currently using OSXVnc's recommended method, which is
        to run a separate VNC instance for each user and have everyone logged
        in through fast user switching, but that's both a nuisance to set up
        and a drain on resources. I'm looking for a better option.
        \_ If you needed multiple remote logins to a Mac, then Steve(tm) would
	...
2006/1/5-9 [Computer/SW/OS/Windows] UID:41250 Activity:nil
1/5     Heh.  Combining the power of Windows CE, Me and NT we have...
        Windows CEMeNT!
        http://photos1.blogger.com/blogger/5036/1165/1600/cement.0.jpg
        \_ That joke's--what--4? 5 years old?
           \_ thanks for posting; missed that 4 or 5 years ago.
	...
2005/6/27-28 [Computer/SW/OS/OsX] UID:38329 Activity:kinda low
6/27    For anyone who's owned a G5 running OS X (10.3 or 10.4), how often do
        you need to reboot if it's being used as a workstation?
        \_ Occasionally you will run into the Windows NT syndrome of the system
           needing a reboot for a system software patch - I'd say about once
           every couple of months on a stable release, and once or twice a
           month on a new one.  Other than that, I have never seen a piece of
	...
2005/6/2-3 [Computer/SW/Security] UID:37935 Activity:low
6/2     In the 'official' part of the motd it says ssh1 would be shut off,
        weeks ago no less, and yet it still seems to be on.  What up with that?
        \_ Whoever did the change neglected to restart sshd.  Fixed.  -jvarga
           \_ I just tried ssh from a Solaris machine to soda and I got "ssh:
              connect to host http://soda.csua.berkeley.edu port 22: Connection
              refused".  I tried both with and without the "-2" option.  Now if
	...
Cache (8192 bytes)
httpd.apache.org/docs/mod/mod_rewrite.html
Ruleset Processing * 10 Regex Back-Reference Availability Configuration Directives * 11 RewriteEngine * 12 RewriteOptions * 13 RewriteLog * 14 RewriteLogLevel * 15 RewriteLock * 16 RewriteMap * 17 RewriteBase * 18 RewriteCond * 19 RewriteRule Miscellaneous * 20 Environment Variables * 21 Practical Solutions Internal Processing The internal processing of this module is very complex but needs to be explained once even to the average user to avoid common mistakes and to let you exploit its full functionality. API Phases First you have to understand that when Apache processes a HTTP request it does this in phases. A hook for each of these phases is provided by the Apache API. So, after a request comes in and Apache has determined the corresponding server (or virtual server) the rewriting engine starts processing of all mod_rewrite directives from the per-server configuration in the URL-to-filename phase. A few steps later when the final data directories are found, the per-directory configuration directives of mod_rewrite are triggered in the Fixup phase. In both situations mod_rewrite rewrites URLs either to new URLs or to filenames, although there is no obvious distinction between them. To make this point more clear remember the following two points: 1. Although mod_rewrite rewrites URLs to URLs, URLs to filenames and even filenames to filenames, the API currently provides only a URL-to-filename hook. But this point has no drawbacks for the user, it is just a fact which should be remembered: Apache does more in the URL-to-filename hook than the API intends for it. In other words: According to the API phases at this time it is too late for any URL manipulations. To overcome this chicken and egg problem mod_rewrite uses a trick: When you manipulate a URL/filename in per-directory context mod_rewrite first rewrites the filename back to its corresponding URL (which is usually impossible, but see the RewriteBase directive below for the trick to achieve this) and then initiates a new internal sub-request with the new URL. Again mod_rewrite tries hard to make this complicated step totally transparent to the user, but you should remember here: While URL manipulations in per-server context are really fast and efficient, per-directory rewrites are slow and inefficient due to this chicken and egg problem. But on the other hand this is the only way mod_rewrite can provide (locally restricted) URL manipulations to the average user. Ruleset Processing Now when mod_rewrite is triggered in these two API phases, it reads the configured rulesets from its configuration structure (which itself was either created on startup for per-server context or during the directory walk of the Apache kernel for per-directory context). Then the URL rewriting engine is started with the contained ruleset (one or more rules together with their conditions). The operation of the URL rewriting engine itself is exactly the same for both configuration contexts. The order of rules in the ruleset is important because the rewriting engine processes them in a special (and not very obvious) order. The rule is this: The rewriting engine loops through the ruleset rule by rule (RewriteRule directives) and when a particular rule matches it optionally loops through existing corresponding conditions (RewriteCond directives). For historical reasons the conditions are given first, and so the control flow is a little bit long-winded. Needs graphics capability to display Figure 1: The control flow through the rewriting ruleset As you can see, first the URL is matched against the Pattern of each rule. When it fails mod_rewrite immediately stops processing this rule and continues with the next rule. If the Pattern matches, mod_rewrite looks for corresponding rule conditions. If none are present, it just substitutes the URL with a new value which is constructed from the string Substitution and goes on with its rule-looping. But if conditions exist, it starts an inner loop for processing them in the order that they are listed. For conditions the logic is different: we don't match a pattern against the current URL. Instead we first create a string TestString by expanding variables, back-references, map lookups, etc. If the pattern doesn't match, the complete set of conditions and the corresponding rule fails. If the pattern matches, then the next condition is processed until no more conditions are available. If all conditions match, processing is continued with the substitution of the URL with Substitution. In other words, you can include an actual dollar-sign character in a Substitution string by using '\$'; Regex Back-Reference Availability One important thing here has to be remembered: Whenever you use parentheses in Pattern or in one of the CondPattern, back-references are internally created which can be used with the strings $N and %N (see below). These are available for creating the strings Substitution and TestString. Figure 2 shows to which locations the back-references are transfered for expansion. Needs graphics capability to display Figure 2: The back-reference flow through a rule We know this was a crash course on mod_rewrite's internal processing. But you will benefit from this knowledge when reading the following documentation of the available directives. If it is set to off this module does no runtime processing at all. It does not even update the SCRIPT_URx environment variables. Use this directive to disable the module instead of commenting out all the RewriteRule directives! Note that, by default, rewrite configurations are not inherited. This means that you need to have a RewriteEngine on directive for each virtual host in which you wish to use it. The Option strings can be one of the following: inherit This forces the current configuration to inherit the configuration of the parent. In per-virtual-server context this means that the maps, conditions and rules of the main server are inherited. MaxRedirects=number In order to prevent endless loops of internal redirects issued by per-directory RewriteRules, mod_rewrite aborts the request after reaching a maximum number of such redirects and responds with an 500 Internal Server Error. If you really need more internal redirects than 10 per request, you may increase the default to the desired value. If the name does not begin with a slash ('/') then it is assumed to be relative to the Server Root. Note: To disable the logging of rewriting actions it is not recommended to set file-path to /dev/null, because although the rewriting engine does not then output to a logfile it still creates the logfile output internally. This will slow down the server with no advantage to the administrator! To disable logging either remove or comment out the RewriteLog directive or use RewriteLogLevel 0! Security: See the 43 Apache Security Tips document for details on why your security could be compromised if the directory where logfiles are stored is writable by anyone other than the user that starts the server. The default level 0 means no logging, while 9 or more means that practically all actions are logged. To disable the logging of rewriting actions simply set Level to 0. Notice: Using a high value for Level will slow down your Apache server dramatically! Use the rewriting logfile at a Level greater than 2 only for debugging! Set this lockfile to a local path (not on a NFS-mounted device) when you want to use a rewriting map-program. The MapName is the name of the map and will be used to specify a mapping-function for the substitution strings of a rewriting rule via one of the following constructs: ${ MapName : LookupKey } ${ MapName : LookupKey | DefaultValue } When such a construct occurs the map MapName is consulted and the key LookupKey is looked-up. If the key is found, the map-function construct is substituted by SubstValue. If the key is not found then it is substituted by DefaultValue or by the empty string if no DefaultValue was specified. The following combinations for MapType and MapSource can be used: * Standard Plain Text MapType: txt, MapSource: Unix filesystem path to valid regular file This is the standard rewriting map feature where...