vhost/VirtualScriptAlias: change /cgi-bin/ url base, suggestions

vhost/VirtualScriptAlias: change /cgi-bin/ url base, suggestions

Post by DejaHoo » Tue, 28 Mar 2000 04:00:00



Moving to name-based vhosts... we have a prior convention to use /bin/
instead of /cgi-bin/ (mainly for brevity), but I have been unable to
convince VirtualScriptAlias to lose the /cgi-bin/ in favor of just
/bin/.

I haven't checked the source as yet but I see the string "/cgi-bin/"
burned into mod_vhost_alias.so so I fear the wurst. Can't use plain
ScriptAlias, we lose the vhost mapping magic.

Workaround #1,
I know I could solve the problem (and all others!) with a bit of
mod_rewrite but I'd rather voice it here first to see if there is a
simple no-overhead solution I've overlooked.

Workaround #2,
A 'bin' ExecCGI directory (or symlink pointing thereto) for every vhost
in its own virtual docroot. I'd rather keep ExecCGI directories
physically out of the docroots so I can give customers static-only sites
with full access to their docroot while maintaining strict control of
cgi. Aliasing is good because it allows scripts to run from places they
cannot touch.

--
If it turns out that there is no "simply elegant" way -- a feature
request for the VirtualScriptAlias directive: allow a two arg version of
it that behaves like ScriptAlias, and allows you to specify the url
prefix:

  VirtualScriptAlias /my-custom-cgi-bin/ /httpd/cgi-secure-area/%0

and in the spirit of ScriptAlias which allows multiple aliai: the
ability to declare multiple two-arg versions with unique url prefixii:

  VirtualScriptAlias /my-custom-cgi-bin/ /httpd/cgi-secure-area/%0
  VirtualScriptAlias /_vti_bin/ /httpd/frontpage-bin/

--
hoot

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

vhost/VirtualScriptAlias: change /cgi-bin/ url base, suggestions

Post by Tony Finc » Sat, 01 Apr 2000 04:00:00



>Moving to name-based vhosts... we have a prior convention to use /bin/
>instead of /cgi-bin/ (mainly for brevity), but I have been unable to
>convince VirtualScriptAlias to lose the /cgi-bin/ in favor of just
>/bin/.

You have to edit the source code to the module. "cgi-bin" only occurs
once, so it's easy to change.

Quote:>If it turns out that there is no "simply elegant" way -- a feature
>request for the VirtualScriptAlias directive: allow a two arg version of
>it that behaves like ScriptAlias, and allows you to specify the url
>prefix:

>  VirtualScriptAlias /my-custom-cgi-bin/ /httpd/cgi-secure-area/%0

>and in the spirit of ScriptAlias which allows multiple aliai: the
>ability to declare multiple two-arg versions with unique url prefixii:

>  VirtualScriptAlias /my-custom-cgi-bin/ /httpd/cgi-secure-area/%0
>  VirtualScriptAlias /_vti_bin/ /httpd/frontpage-bin/

Both of these features are already on the wish list for a second
version of the module. I don't have any immediate plans to implement
it, but patches are accepted :-)

Tony.
--

307 wriggling grunion in your slipstream

 
 
 

1. /cgi-bin/phf /cgi-bin/test-cgi /cgi-bin/handler

I've been seeing a number of attacks of this sort recently
from various sites in the http logs.  The time correlation
between the logs on various hosts suggests that the attacker
was scanning sequentially upward in IP addresses.  Since all
tcp and udp packets to ports below 1024 except for http,
smtp, and ident are filtered out for most, including the
attacking, sites, I'm not seeing anything else in the logs.

209.61.73.47 - - [04/Jul/1998:07:19:27 -0500] "GET /cgi-bin/phf" 404 -
209.61.73.47 - - [04/Jul/1998:07:19:28 -0500] "GET /cgi-bin/test-cgi" 404 -
209.61.73.47 - - [04/Jul/1998:07:19:28 -0500] "GET /cgi-bin/handler" 404 -

Is this a signature of some known attackware?  If so, what
other attacks accompany these http probes?

--

2. How do you set up bridge-utils-1.0.4 ?

3. Apache VHost CGI-BIN Directory

4. Disk Re-partitioning

5. apache vhost with cgi-bin

6. NetBSD 1.4.2 on a Sparc5... minor troubles

7. cgi-bin/view-source?cgi-bin/view-source

8. Windmodem Avoidance (Was: UPS-Signaled Shutdown)

9. vhost cgi-bin not working !

10. Help, cgi-bin script "random" will only return last url in random list.

11. Mixing name-based vhosting with mass-vhosting

12. cgi-bin (C bin) hangs under Linux

13. cgi-bin and cgi file security