Heya, I've been using elog for a year or so, with a proxy through Apache,
but recently I've ran into some trouble with my Apache config, where
spammers were using my incorrectly configured proxy to send spam.

I have
some requests for the Administrator's Guide: "Running elogd under Apache". 
I'm hoping a few little notes will save others the trouble I've gone
through. Neither of these are any fault of elog's or Apache's, but of my own
ignorance. (I am using elog 2.3.9, and Apache 2.something, if that matters)

1) When doing "ProxyPass ..." when setting up elog under Apache, do NOT put
"ProxyRequests On".  This is not needed, if it is enabled and not set up
correctly, it allows spammers to send spam via Apache's proxy.  More
information on this is here: http://www.apacheweek.com/issues/03-07-25,
about halfway down the page, under "Spammers use open Apache proxies"

Even though it doesn't mention ProxyRequests in the guide, I think there
should be a little side note mentioning that "ProxyRequests On" is NOT
needed, because I put it in, thinking it was - I am probably not the only one.

2) I have found that mod_proxy_http.c must be loaded in addition to
mod_proxy.c and mod_alias.c for the proxy to work, otherwise I get a 403
error.  I think this should be mentioned as well.

Thanks, I added a note into the admin guide.

No big deal - I looked at the code and you did a much more thorough job than I
would have done. Appreciate all of the hard work -- this product is masterful!

> Sorry for that. The idea is that the -4 is the minor number between releases
> (mainly for bug fixes and impatient users (;-) ). I accidently overwrote the
> -4 version several times when testing a new RPM building scheme, but I promise
> to take more care in the future (:-)))
> 
> Having the CVS revision in the executable is however a good idea and I will
> put it in.
> 
> > Stefan, would it be ok to add the "minor" revision level to the VERSION
> > constant?  I've been doing this after I download source just so I can keep
> > things straight, you keep cranking out versions ;->
> > 
> > EX: 
> > #define VERSION "2.5.4-4"
> > BECOMES
> > #define VERSION "2.5.4-4-1.483" or something like that?
> > 
> > Just a thought.
> > 
> > Thanks

> > The only common denominator that could possibly cover all contingencies would
> > be LDAP authentication.  One way of doing this in a more-or-less universal
> > fashion is to offload the auth task from eLog itself and place the burden on
> > Apache.  This means figuring out how to get Apache to pass auth info to eLog
> > when eLog operates behind Apache.  In the end, anything that can use LDAP as an
> > authentication mechanism (like AD) can host eLog - as long as eLog can glom off
> > of Apache's ability to do the actual authenticating.  
> 
> That sounds to me like a great idea. If anybody gets this working, people would be
> grateful if this could be submitted to the "Contributions" section of this forum.

Ah, you test me!  Perhaps I will attempt to dig into this but I may have to leave the
integration up to you, Stefan.  Seems that there would be two roads to go:
1> Move away from standalone and start to rely on Apache
2> Continue with the standalone theme and build in LDAP authentication (which could
also give you groups functions as well). 

I think I would opt for <2>

> Ah, you test me!  Perhaps I will attempt to dig into this but I may have to leave the
> integration up to you, Stefan.  Seems that there would be two roads to go:
> 1> Move away from standalone and start to rely on Apache
> 2> Continue with the standalone theme and build in LDAP authentication (which could
> also give you groups functions as well). 
> 
> I think I would opt for <2>

<1> would only make sense if the functionality could be completely implemented inside
Apache, without (much) modification of elog. Otherwise I agree that <2> would be more
following the general lines of elog. I was considering to implement PAM (pluggable
authorization module) support into elog, which is quite easy to implement and gives you
to power of having LDAP, Kerberos, Unix username, Windows NT Domain and much more. But
that would them be restricted to elog running under Linux (and Solaris I guess), since
I'm not aware of a PAM implementation under Windows.

Implementing LDAP directly into elog gives me the problem that we don't use LDAP
authentication at our institute (it's Kerberos in fact). So I would have to set up my own
LDAP server for testing, plus we at our institute don't have a direct benefit from that,
which would make it hard for me to justify to spend time on.

> > Ah, you test me!  Perhaps I will attempt to dig into this but I may have to leave the
> > integration up to you, Stefan.  Seems that there would be two roads to go:
> > 1> Move away from standalone and start to rely on Apache
> > 2> Continue with the standalone theme and build in LDAP authentication (which could
> > also give you groups functions as well). 
> > 
> > I think I would opt for <2>
> 
> <1> would only make sense if the functionality could be completely implemented inside
> Apache, without (much) modification of elog. Otherwise I agree that <2> would be more
> following the general lines of elog. I was considering to implement PAM (pluggable
> authorization module) support into elog, which is quite easy to implement and gives you
> to power of having LDAP, Kerberos, Unix username, Windows NT Domain and much more. But
> that would them be restricted to elog running under Linux (and Solaris I guess), since
> I'm not aware of a PAM implementation under Windows.
> 
> Implementing LDAP directly into elog gives me the problem that we don't use LDAP
> authentication at our institute (it's Kerberos in fact). So I would have to set up my own
> LDAP server for testing, plus we at our institute don't have a direct benefit from that,
> which would make it hard for me to justify to spend time on.


Yes, PAM is highly dependent upon Unix and PAM would work under Solaris just fine.  Your
problem lies with Windows - hence my LDAP suggestion.

And LDAP isn't an easy thing to setup, but I bet there is a quick and dirty "test" bench that
could be rigged using OpenLDAP.  Like I indicated, I'll see what I can dig up on this front -
but I make no promises wrt delivery time!

> > uhm ok .. can I expect to get a release with this feature in the near future ?
> 
> I checked how I would do that and did not find a good solution. If I put a
> 
> <img width=300 ...> 
> 
> for example, this scales down a big picture to only 300 pixels width. But if you submit a small
> picture, like just an icon, it blows it up to 300 pixels as well, which does not look nice.
> Unfortunatle I don't know of any option like "maxwidth=x" which only scales pictures down if they
> are larger than x. Do you know?

the following patch should do the job:


#################################################################################
--- elogd_orig.c        2005-02-03 16:46:10.000000000 +0100
+++ elogd_imgscale.c    2005-02-08 18:58:14.000000000 +0100
@@ -13690,9 +13690,14 @@
                       ("<tr><td colspan=%d class=\"attachment\">%s %d: <a href=\"%s\">%s</a>\n",
                        colspan, loc("Attachment"), index + 1, ref, attachment[index] + 14);
                   if (show_attachments)
-                     rsprintf
-                         ("</td></tr><tr><td colspan=%d class=\"messagelist\"><img
src=\"%s\"></td></tr>",
-                          colspan, ref);
+                     if (!getcfg(lbs->name, "Attached image width", str, sizeof(str))) {
+                        rsprintf("</td></tr><tr><td colspan=%d class=\"messagelist\"><img
src=\"%s\"></td></tr>",
+                                 colspan, ref);
+                    } else {
+                        rsprintf("</td></tr><tr><td colspan=%d class=\"messagelist\">"
+                                 "<div style=\"width: %s\"><img src=\"%s\" style=\"width:
100%\"></div></td></tr>",
+                                 colspan, str, ref);
+                    }
                } else {
                   rsprintf
                       ("<tr><td colspan=%d class=\"attachment\">%s %d: <a href=\"%s\">%s</a>\n",
@@ -18090,7 +18095,10 @@
                   if (is_image(att)) {
                      rsprintf("<tr><td class=\"messageframe\">\n");
                      rsprintf("<a name=\"att%d\"></a>\n", index + 1);
-                     rsprintf("<img src=\"%s\"></td></tr>", ref);
+                     if (!getcfg(lbs->name, "Attached image width entry", str, sizeof(str)))
+                        rsprintf("<img src=\"%s\"></td></tr>", ref);
+                    else
+                        rsprintf("<div style=\"width: %s\"><img src=\"%s\" style=\"width:
100%\"></div></td></tr>", str, ref);
                      rsprintf("</td></tr>\n\n");
                   } else {
                      if (is_ascii(file_name)) {
##########################################################################################

two new elog.conf parameters are defined:
Attached image width          ; width of full view image attached
Attached image width entry    ; width of attached image in the entry list view

plz apply :-)

Are you sure that this does not stretch small images? Please see elog:931

> two new elog.conf parameters are defined:
> Attached image width          ; width of full view image attached
> Attached image width entry    ; width of attached image in the entry list view

I would rather go with a new class in the CSS file to contain this options, since I 
want to keep the number of options as small as possible.