diff options
-rw-r--r-- | usr.sbin/httpd/Makefile.bsd-wrapper | 4 | ||||
-rw-r--r-- | usr.sbin/httpd/htdocs/manual/misc/index.html | 10 | ||||
-rw-r--r-- | usr.sbin/httpd/htdocs/manual/misc/nopgp.html | 99 | ||||
-rw-r--r-- | usr.sbin/httpd/htdocs/manual/misc/vif-info.html | 408 | ||||
-rw-r--r-- | usr.sbin/httpd/htdocs/manual/mod/core.html.html | 3 | ||||
-rw-r--r-- | usr.sbin/httpd/htdocs/manual/sitemap.html | 2 | ||||
-rw-r--r-- | usr.sbin/httpd/htdocs/manual/vhosts/virtual-host.html | 5 |
7 files changed, 4 insertions, 527 deletions
diff --git a/usr.sbin/httpd/Makefile.bsd-wrapper b/usr.sbin/httpd/Makefile.bsd-wrapper index b917de100a4..66c2e5a753c 100644 --- a/usr.sbin/httpd/Makefile.bsd-wrapper +++ b/usr.sbin/httpd/Makefile.bsd-wrapper @@ -1,5 +1,5 @@ # Build wrapper for Apache -# $OpenBSD: Makefile.bsd-wrapper,v 1.50 2005/07/28 19:12:39 jmc Exp $ +# $OpenBSD: Makefile.bsd-wrapper,v 1.51 2005/07/28 19:37:16 jmc Exp $ # Our lndir is hacked; specify a full path to avoid potential conflicts # with the one installed with X11. @@ -282,14 +282,12 @@ MANUALFILES= \ manual/misc/howto.html \ manual/misc/index.html \ manual/misc/known_client_problems.html \ - manual/misc/nopgp.html \ manual/misc/perf-bsd44.html \ manual/misc/perf-tuning.html \ manual/misc/perf.html \ manual/misc/rewriteguide.html \ manual/misc/security_tips.html \ manual/misc/tutorials.html \ - manual/misc/vif-info.html \ manual/misc/windoz_keepalive.html \ manual/sections.html.html \ manual/server-wide.html.html \ diff --git a/usr.sbin/httpd/htdocs/manual/misc/index.html b/usr.sbin/httpd/htdocs/manual/misc/index.html index 50faa72182c..0663008bfb6 100644 --- a/usr.sbin/httpd/htdocs/manual/misc/index.html +++ b/usr.sbin/httpd/htdocs/manual/misc/index.html @@ -85,11 +85,6 @@ <dd>A list of problems in HTTP clients which can be mitigated by Apache.</dd> - <dt><a href="nopgp.html">No PGP</a></dt> - - <dd>Why we took PEM and PGP support out of the base Apache - distribution.</dd> - <dt><a href="perf-bsd44.html">Performance Notes (BSD 4.4)</a></dt> @@ -114,11 +109,6 @@ <dd>Some "do"s - and "don't"s - for keeping your Apache web site secure.</dd> - <dt><a href="vif-info.html">Virtual Hosts (IP-based)</a></dt> - - <dd>Excerpts and notes about configuring and using Apache - IP-based virtual hosts.</dd> - <dt><a href="windoz_keepalive.html">Windows Bug with Web Keepalive</a></dt> diff --git a/usr.sbin/httpd/htdocs/manual/misc/nopgp.html b/usr.sbin/httpd/htdocs/manual/misc/nopgp.html deleted file mode 100644 index eeafb9699db..00000000000 --- a/usr.sbin/httpd/htdocs/manual/misc/nopgp.html +++ /dev/null @@ -1,99 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - -<html xmlns="http://www.w3.org/1999/xhtml"> - <head> - <meta name="generator" content="HTML Tidy, see www.w3.org" /> - - <title>Why We Took PEM Out of Apache</title> - </head> - <!-- Background white, links blue (unvisited), navy (visited), red (active) --> - - <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" - vlink="#000080" alink="#FF0000"> - <div align="CENTER"> - <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" /> - - <h3>Apache HTTP Server Version 1.3</h3> - </div> - - - <h1 align="CENTER">Why We Took PEM Out of Apache</h1> - On May 17th, 1995, we were asked by a representative of NCSA to - remove any copies of NCSA httpd prior to 1.4.1 from our web - site. They were mandated by the NSA to inform us that - redistribution of pre-1.4.1 code violated the same laws that - make distributing Phill Zimmerman's PGP package to other - countries illegal. There was <strong>no</strong> encryption in - NCSA's httpd, only hooks to publicly available libraries of PEM - code. By the NSA's rules, even hooks to this type of - application is illegal. - - <p>Because Apache is based on NCSA code, and we had basically - not touched that part of the software, we were informed that - Apache was also illegal to distribute to foreign countries, and - advised (not mandated) by NCSA to remove it. So, we removed - both the copies of the NCSA httpd we had, and all versions of - Apache previous to 0.6.5.</p> - - <p>The Apache members are strong advocates of the right to - digital privacy, so the decision to submit to the NSA and - remove the code was not an easy one. Here are some elements in - our rationale:</p> - - <ul> - <li>The PEM code in httpd was not widely used. No major site - relied upon its use, so its loss is not a blow to encryption - and security on the world wide web. There are other efforts - designed to give much more flexible security - SSL and SHTTP - - so this wasn't a function whose absence would really be - missed on a functional level.</li> - - <li>We didn't feel like being just a couple more martyrs in a - fight being fought very well by many other people. Rather - than have the machine that supports the project confiscated - or relocated to South Africa, <em>etc.</em>, we think there - are more efficient methods to address the issue.</li> - </ul> - It kind of sickens us that we had to do it, but so be it. - - <p>Patches that re-implement the PEM code may be available at a - foreign site soon. If it does show up, we'll point to it - that - can't be illegal!</p> - - <p>Finally, here is a compendium of pointers to sites related - to encryption and export law. We can't promise this list will - be up to date, so send us mail when you see a problem or want a - link added. Thanks.</p> - - <ul> - <li><a - href="http://dir.yahoo.com/Computers_and_Internet/security_and_encryption/"> - Yahoo - Science: Mathematics: Security and - Encryption</a></li> - - <li><a href="http://www.eff.org/Privacy/Crypto/">EFF - Crypto/Privacy/Security Archive</a></li> - - <li><a - href="http://www.quadralay.com/www/Crypt/Crypt.html">Crypto - page at Quadralay</a></li> - - <li><a - href="ftp://ftp.cygnus.com/pub/export/export.html">Cryptography - Export Control Archives (Cygnus)</a></li> - - <li><a href="http://www.law.indiana.edu/law/iclu.html">ICLU - - Your Rights in Cyberspace</a></li> - </ul> - <a href="http://www.behlendorf.com/~brian/">Brian</a>, <a - href="mailto:brian@hyperreal.com">brian@hyperreal.com</a> - <hr /> - - <h3 align="CENTER">Apache HTTP Server Version 1.3</h3> - <a href="./"><img src="../images/index.gif" alt="Index" /></a> - <a href="../"><img src="../images/home.gif" alt="Home" /></a> - - </body> -</html> - diff --git a/usr.sbin/httpd/htdocs/manual/misc/vif-info.html b/usr.sbin/httpd/htdocs/manual/misc/vif-info.html deleted file mode 100644 index a6a4f1a9285..00000000000 --- a/usr.sbin/httpd/htdocs/manual/misc/vif-info.html +++ /dev/null @@ -1,408 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - -<html xmlns="http://www.w3.org/1999/xhtml"> - <head> - <meta name="generator" content="HTML Tidy, see www.w3.org" /> - - <title>Configuring Multiple IP Addresses</title> - </head> - <!-- Background white, links blue (unvisited), navy (visited), red (active) --> - - <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" - vlink="#000080" alink="#FF0000"> - <div align="CENTER"> - <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" /> - - <h3>Apache HTTP Server Version 1.3</h3> - </div> - - - <h1 align="CENTER">Configuring Multiple IP Addresses</h1> -<pre> -This material is originally from John Ioannidis (ji@polaris.ctr.columbia.edu) -I have condensed it some and applied some corrections for SunOS 4.1.x -courtesy of Chuck Smoko (csmoko@relay.nswc.navy.mil). - -Bob Baggerman (bob@bizweb.com) -12 Jan 94 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -John Ionnidis writes: - -This is a topic that comes up once in a while on comp.protocols.tcp-ip -and other newsgroups. The question is, how to get a machine with one -network interface to respond to more than one IP addresses. - -I have a solution than might suit you. For my doctoral work (there's -a paper about it in this year's ('91) SIGCOMM, also available for -anonymous FTP from cs.columbia.edu:/pub/ji/sigcomm*.ps.Z), I've -developed what I call the "Virtual Interface" (VIF). To the networking -code, it looks like an interface. It gets ifattach()ed when you open -the /dev/vif* device, and then you can ifconfig it as you like. It -does not have an if_input procedure; it only has an if_output. Packets -that it receives (from higher-level protocols) which have its -IP address, it simply loops back (like any well-behaved if driver). -Packets that it receives that are destined for some other address, it -encapsulates in an encapsulation protocol I call IPIP (IP-within-IP, -protocol number IPPROTO_IPIP == 94), and sends it to another machine -that groks that encapsulation protocol. This feature you won't need, -but here's how to have multiple IP addresses on a machine with a -single real interface: - -Let's say your primary interface's IP address is 198.3.2.1, and you -also want it to respond to addresses 198.4.3.2 and 198.5.4.3 (note -that these are three distinct class C addresses in three distinct -class C nets). Here are the ifconfigs: - - ifconfig le0 198.3.2.1 up -trailers # config primary interface - - ifconfig vif0 198.4.3.2 up # config first virtual interface - route delete net 198.4.3 198.4.3.2 # delete spurious route - route add host 198.4.3.2 198.4.3.2 0 # add route for this i/f - - ifconfig vif1 198.5.4.3 up # config second virtual interface - route delete net 198.5.4 198.5.4.3 # delete spurious route - route add host 198.5.4.3 198.5.4.3 0 # add route for this i/f - -The route deletes are needed because the ifconfig creates a default -route to the interface's network, which can cause problems; all that's -needed is the (host) route to the interface's address. - -Now, get le0's ethernet address (say, 8:0:20:3:2:1), and add the -following static ARP entries: - - arp -s 198.4.3.2 8:0:20:3:2:1 pub - arp -s 198.5.4.3 8:0:20:3:2:1 pub - -This will cause any ARP requests for the VIF addresses to be replied -with your machine's ethernet address. - -Now, make sure your default route is to your segment's gateway, -through the real interface. Finally, make sure your routers and/or -hosts on the same segment as yours know that 198.4.3.2 and 198.5.4.3 -are on that cable. - -Here's what you've accomplished. - -ARP requests for any of your host's addresses will be replied to with -the host's ethernet address (the real one, because that's what it is, -the virtual ones because of the public static arp entries). Packets -reaching your host with any of these addresses will be accepted by the -ip_input routine because they match the address of one of the host's -interfaces. Packets leaving your host can have any of its addresses -(real and virtual). - -The code for vif follows. To use it, put the stuff in netinet/if_vif.c -and netinet/if_vif.h, configure your kernel with the number of -virtual interfaces you want using a line like: - -pseudo-device vif4 # Virtual IP interface - -in your configuration file, and the line - -netinet/if_vif.c optional vif device-driver - -in the "files" file. Also, add the appropriate entries in conf.c, so -that you can access the if_attach() routine when you open the device: - - --------------------------- conf.c------------------------------------------ - -add this in the appropriate place in the headers of conf.c: - --------------------- -#include "vif.h" -#if NVIF > 0 -int vifopen(), vifclose(), vifread(), vifwrite(), vifselect(), vifioctl(); -#else -#define vifopen nodev -#define vifclose nodev -#define vifread nodev -#define vifwrite nodev -#define vifselect nodev -#define vifioctl nodev -#endif --------------------- - -then, way down in the definition for cdevsw[]: - --------------------- - vifopen, vifclose, vifread, vifwrite, /*14*/ - vifioctl, nodev, nodev, 0, - 0, nodev, --------------------- - -Make sure you remember the correct major device number, 14 in this case! - ---------------------------------------------------------------------------- - -Finally, here's the code. It has the tunneling pieces removed (you -need more code to use that anyway), and it comes from a Mach 2.6 -kernel; it should compile on any Berkeley-derived unix with minor -changes (most likely only in the includes). - ----------------------netinet/if_vif.h-------------------------------------- -typedef struct -{ - struct ifnet vif_if; - struct ifnet *vif_sif; /* slave interface */ - int vif_flags; -} vif_softc_t; - -#define VIFMTU (1024+512) ---------------------------------------------------------------------------- - -and - ----------------------netinet/if_vif.c-------------------------------------- -/* - * Virtual IP interface module. - */ - -#include "param.h" -#include "../sys/systm.h" -#include "../sys/mbuf.h" -#include "../sys/socket.h" -#include "../sys/errno.h" -#include "../sys/ioctl.h" - -#include "../net/if.h" -#include "../net/netisr.h" -#include "../net/route.h" - -#ifdef INET -#include "../netinet/in.h" -#include "../netinet/in_systm.h" -#include "../netinet/in_var.h" -#include "../netinet/ip.h" -#endif - -#include "in_pcb.h" -#include "vif.h" - -typedef struct -{ - struct ifnet vif_if; - struct ifnet *vif_sif; /* slave interface */ - int vif_flags; -} vif_softc_t; - -#define VIFMTU (1024+512) - -vif_softc_t vif_softc[NVIF]; - -int vifs_inited = 0; - - -vifattach() -{ - register int i; - register struct ifnet *ifp; - int vifoutput(), vififioctl(); - - for (i=0; i<NVIF; i++) - { - ifp = &vif_softc[i].vif_if; - ifp->if_name = "vif"; - ifp->if_unit = i; - ifp->if_mtu = VIFMTU; - ifp->if_flags = IFF_LOOPBACK | IFF_NOARP; - ifp->if_ioctl = vififioctl; - ifp->if_output = vifoutput; - if_attach(ifp); - } -} - -vifopen(dev, flag) -int dev, flag; -{ - int unit; - - if (!vifs_inited) - { - vifattach(); - vifs_inited = 1; - printf("vif initialized\n"); - } - - unit = minor(dev); - if ((unit < 0) || (unit >= NVIF)) - { - return ENXIO; - } - - return 0; -} - -vifclose(dev, flag) -int dev, flag; -{ - return 0; -} - -vifread() -{ - return ENXIO; -} - -vifwrite() -{ - return ENXIO; -} - -vifselect() -{ - return ENXIO; -} - -vifoutput(ifp, m0, dst) - struct ifnet *ifp; - register struct mbuf *m0; - struct sockaddr *dst; -{ - int s; - register struct ifqueue *ifq; - struct mbuf *m; - struct sockaddr_in *din; - - if (dst->sa_family != AF_INET) - { - printf("%s%d: can't handle af%d\n", - ifp->if_name, ifp->if_unit, - dst->sa_family); - m_freem(m0); - return (EAFNOSUPPORT); - } - - din = (struct sockaddr_in *)dst; - - if (din->sin_addr.s_addr == IA_SIN(ifp->if_addrlist)->sin_addr.s_addr) - { - /* printf("%s%d: looping\n", ifp->if_name, ifp->if_unit); */ - - /* - * Place interface pointer before the data - * for the receiving protocol. - */ - if (m0->m_off <= MMAXOFF && - m0->m_off >= MMINOFF + sizeof(struct ifnet *)) { - m0->m_off -= sizeof(struct ifnet *); - m0->m_len += sizeof(struct ifnet *); - } else { - MGET(m, M_DONTWAIT, MT_HEADER); - if (m == (struct mbuf *)0) - return (ENOBUFS); - m->m_off = MMINOFF; - m->m_len = sizeof(struct ifnet *); - m->m_next = m0; - m0 = m; - } - *(mtod(m0, struct ifnet **)) = ifp; - s = splimp(); - ifp->if_opackets++; - ifq = &ipintrq; - if (IF_QFULL(ifq)) { - IF_DROP(ifq); - m_freem(m0); - splx(s); - return (ENOBUFS); - } - IF_ENQUEUE(ifq, m0); - schednetisr(NETISR_IP); - ifp->if_ipackets++; - splx(s); - return (0); - } - - return EHOSTUNREACH; -} - -/* - * Process an ioctl request. - */ -/* ARGSUSED */ -vififioctl(ifp, cmd, data) - register struct ifnet *ifp; - int cmd; - caddr_t data; -{ - int error = 0; - - switch (cmd) { - - case SIOCSIFADDR: - ifp->if_flags |= IFF_UP; - /* - * Everything else is done at a higher level. - */ - break; - - default: - error = EINVAL; - } - return (error); -} - -vifioctl(dev, cmd, arg, mode) -dev_t dev; -int cmd; -caddr_t arg; -int mode; -{ - int unit; - - unit = minor(dev); - if ((unit < 0) || (unit >= NVIF)) - return ENXIO; - - return EINVAL; -} ----------------------------------------------------------------------------- - -To use it, compile your kernel, and reboot. Then create the vif -device: - -# mknod /dev/vif c 14 0 - -(or whatever major number it ended up being), and echo something into -it: - -# echo > /dev/vif - -This will cause the device to be opened, which will if_attach the -interfaces. If you feel like playing with the code, you may want to -kmem_alloc() the vif_softc structure at open time, and use the minor -number of the device to tell it how many interfaces to create. - -Now you can go ahead and ifconfig <em>etc.</em> - -I'll be happy to answer minor questions, and hear about success and -failure stories, but I cannot help you if you don't already know how -to hack kernels. - -Good luck! - -/ji - -In-Real-Life: John "Heldenprogrammer" Ioannidis -E-Mail-To: ji@cs.columbia.edu -V-Mail-To: +1 212 854 8120 -P-Mail-To: 450 Computer Science \n Columbia University \n New York, NY 10027 -</pre> - - <p>Note: there is also a <a - href="http://www.multihost.com/">commercial-product-turned-freeware - called "Col. Patch"</a> which does this as a loadable kernel - module for SunOS 4.1.3_U1.</p> - - <p> <hr /> - - <h3 align="CENTER">Apache HTTP Server Version 1.3</h3> - <a href="./"><img src="../images/index.gif" alt="Index" /></a> - <a href="../"><img src="../images/home.gif" alt="Home" /></a> - - </p> - </body> -</html> - diff --git a/usr.sbin/httpd/htdocs/manual/mod/core.html.html b/usr.sbin/httpd/htdocs/manual/mod/core.html.html index 4bede88ffaf..6d90427d685 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/core.html.html +++ b/usr.sbin/httpd/htdocs/manual/mod/core.html.html @@ -4078,8 +4078,7 @@ Syntax OK accept IP packets for multiple addresses. (If the machine does not have multiple network interfaces, then this can be accomplished with the <code>ifconfig alias</code> command (if - your OS supports it), or with kernel patches like <a - href="../misc/vif-info.html">VIF</a> (for SunOS(TM) 4.1.x)). + your OS supports it). <p>You can specify more than one IP address. This is useful if a machine responds to the same name on two different diff --git a/usr.sbin/httpd/htdocs/manual/sitemap.html b/usr.sbin/httpd/htdocs/manual/sitemap.html index 248c9265295..16a4e131a06 100644 --- a/usr.sbin/httpd/htdocs/manual/sitemap.html +++ b/usr.sbin/httpd/htdocs/manual/sitemap.html @@ -151,8 +151,6 @@ Side Includes</a></li> <li><a href="misc/descriptors.html">Descriptors and Apache</a></li> <li><a href="misc/fin_wait_2.html">Connections in FIN_WAIT_2 and Apache</a></li> <li><a href="misc/known_client_problems.html">Known Client Problems</a></li> -<li><a href="misc/nopgp.html">Why We Took PEM Out of Apache</a></li> -<li><a href="misc/vif-info.html">Configuring Multiple IP Addresses</a></li> <li><a href="misc/windoz_keepalive.html">MS Windows Netscape 3.0b4 KeepAlive problem solved</a></li> <li><a href="misc/client_block_api.html">Reading Client Input in Apache 1.2</a></li> </ul></li> diff --git a/usr.sbin/httpd/htdocs/manual/vhosts/virtual-host.html b/usr.sbin/httpd/htdocs/manual/vhosts/virtual-host.html index 0c5116196d4..c745f25e786 100644 --- a/usr.sbin/httpd/htdocs/manual/vhosts/virtual-host.html +++ b/usr.sbin/httpd/htdocs/manual/vhosts/virtual-host.html @@ -65,9 +65,8 @@ Due to limitations in the HTTP/1.0 protocol, the web server <strong>must have a different IP address for each virtual host</strong>. This can be achieved by the machine having - several physical network connections, or by use of a <a - href="../misc/vif-info.html">virtual interface</a> on some - operating systems. + several physical network connections, or by use of + virtual interface on some operating systems. <h2>How to set up Apache</h2> There are two ways of configuring apache to support multiple |