Comments were broken, reCAPTCHA issue with chroot Apache and PF
Wednesday, November 21st, 2007I just realised that posting of comments was broken on my site for at least a while. I had been wondering why there was nothing in my moderation queue for some time.
The exact reason is interesting. First of all, this site is hosted under a chroot()-ed Apache, with mod_php5, running on OpenBSD. Because of the prevalence of PHP vulnerabilities - especially in terms of using them to send out spam and so forth - we’ve locked down outgoing connections from the apache user at the packet filter (PF) level. The exact rule is: block out log proto { tcp, udp } all user www. However, the captcha service I use - reCAPTCHA - requires that the webserver connect to its hosts to verify input. I had therefore explicitly allowed Apache to connect to the specific reCAPTCHA host for this purpose.
It turns out that the DNS for the various reCAPTCHA services had changed, so I needed to update my PF rules. Sorry for the outage!
