[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-dev
Subject: My own module and catching Proxy Request
From: Petr Hracek <phracek2 () gmail ! com>
Date: 2010-04-23 14:49:46
Message-ID: p2ubb856da11004230749n9b64d84bs3db6541693028188 () mail ! gmail ! com
[Download RAW message or body]
Authorization is based on username/password stored in database.
First of all I authenticate user and afterwards redirection is done.
I have following RewriteRule but it does not work at all.
RewriteRule ^/([^/]+)$ ${unity:$1|/$1} [L]
RewriteRule ^/([^/]+)/(.*) ${unity:$1|/opt/apache/htdocs/ssldocs/$1}/$2 [L]
which is used for my module and
in location is:
<Location "/PAC/">
ProxyPass http://192.168.187.150:8080/PACCBAdmin
ProxyPassReverse http://192.168.187.150:8080/PACCBAdmin/
ProxyPassReverseCookiePath /PACCBAdmin /PAC
Order Allow,Deny
Allow from all
</Location>
I hope that it is correct.
BR
Petr
2010/4/23 Jeffrey E Burgoyne <burgoyne@keenuh.com>
> I think that would require two modules as the authorization and redirect
> hooks happen at different phases. I've actually written modules for both
> of these phases, it is pretty easy as far as modules go. And remember, the
> authorization module will ALWAYS be called before the redirection modules,
> so you already know if you hit your redirection module that authorization
> was correct.
>
> You may not, however, have to write a module. You may be able to use one
> of the already provided auth modules plus mod_rewrite to do this.
>
> Now your authorization, is it based on a username/password, or some other
> restriction (i.e. connecting IP)?
>
> If username/password, is it basic authentication controlled? If not, I've
> no experience in that area. If it is, then what is the DB used?
>
>
> > Thanks but I forgott to mentioned that my module makes an authorization
> > against database and I would like to catch that if user access some proxy
> > than first of all he has to be authorized by my module and afterwards it
> > will be redirect to the proxy. Is it possible to do that somehow?
> >
> > Thanks
> >
> > 2010/4/23 Jeffrey E Burgoyne <burgoyne@keenuh.com>
> >
> >> I'm not using it in a specific module, although you easily could.
> >>
> >> I'm not at work today, but it goes something like this :
> >>
> >> I want to force all hits to go through our front end web server which
> >> acts
> >> as a reverse proxy to the back end apache server. The logic is if there
> >> is
> >> no X_FORWARDED_FOR (meaning it was not proxied), then redirect the hit
> >> to
> >> the front end reverse proxy server. I used the logic that if the
> >> X_FORWARDED_FOR did not start with 1-9 then it was not a valid proxied
> >> request :
> >>
> >> RewriteCond %{X_FORWARDED_FOR} !^[1-9]
> >> RewriteRule /(.*) http://proxiedhost.ca/$1 [R,L]
> >>
> >>
> >> For your module you can access the headers from the request pool and
> >> look
> >> for X_FORWARDED_FOR.
> >>
> >> Note it may be more complicated depending on your setup. Some load
> >> balancers put that value into the HTTP stream, so you may have to
> >> account
> >> for that. If it runs through multiple proxies (perhaps including a load
> >> balancer), the IP's will be list form comma seperated.
> >>
> >> Note too I have DNS lookups off, so if you have them on I suspect you
> >> would get the DNS name, not the IP, but I cannot say with 100%
> >> certainty.
> >>
> >>
> >> for example,
> >>
> >> if a client from 192.168.2.10 access 10.10.10.10, the web server sees :
> >>
> >> connecting IP - 192.168.2.10
> >> X_FORWARDED_HEADER - blank
> >>
> >> If the server at 10.10.10.10 proxies to 10.20.20.20 the web server at
> >> the
> >> .20 address sees :
> >>
> >> connecting IP - 10.10.10.01
> >> X_FORWARDED_HEADER - 192.168.2.10
> >>
> >>
> >>
> >>
> >>
> >>
> >> > How do you have configured RewriteRule together with your own module?
> >> > Could you please send me more details or example?
> >> >
> >> > Thanks
> >> > Petr
> >> >
> >> > 2010/4/23 Jeffrey E Burgoyne <burgoyne@keenuh.com>
> >> >
> >> >> I use the environment variable X_FORWARDED_FOR
> >> >>
> >> >>
> >> >> http://en.wikipedia.org/wiki/X-Forwarded-For
> >> >>
> >> >>
> >> >> with mod_rewrite to determine if it came via a proxy or not.
> >> >>
> >> >> It may be of use to you.
> >> >>
> >> >>
> >> >>
> >> >> > 2010/4/22 Petr Hracek <phracek2@gmail.com>
> >> >> >
> >> >> >> Hello *,
> >> >> >>
> >> >> >> I hope that I am sending those question to the correct discussion
> >> >> list.
> >> >> >>
> >> >> >> In my Apache2 (2.2.3) configuration file I have:
> >> >> >> <VirtualHost _default_:443>
> >> >> >> SSLEngine on
> >> >> >> DocumentRoot "/opt/apache/htdocs/ssldocs"
> >> >> >> ProxyPass /PAC/ http://192.168.187.101:8080/PACCBAdmin
> >> >> >> ProxyPassReverse /PAC/
> >> >> http://192.168.187.150:8080/PACCBAdmin/
> >> >> >> RewriteEngine on
> >> >> >> RewriteCond %{REQUEST_METHOD} ^TRACE
> >> >> >> RewriteRule .* - [F]
> >> >> >> RewriteMap unity txt:/opt/apache/conf/unity.map
> >> >> >> RewriteRule ^/([^/]+)$ ${unity:$1|/$1} [L]
> >> >> >> RewriteRule ^/([^/]+)/(.*)
> >> >> ${unity:$1|/opt/apache/htdocs/ssldocs/$1}/$2
> >> >> >> [L]
> >> >> >> RewriteLog "/var/log/apache2/rewrite_log"
> >> >> >> RewriteLogLevel 3
> >> >> >>
> >> >> >> <Location "/PAC/">
> >> >> >> ProxyPassReverseCookiePath /PACCBAdmin /PAC
> >> >> >> Order Allow,Deny
> >> >> >> Allow from all
> >> >> >> </Location>
> >> >> >>
> >> >> >> </VirtualHost>
> >> >> >>
> >> >> >> In the my modules which takes care about AAA, Security issues,
> >> etc.
> >> >> >> I would like to catch in my module when URL contains /PAC/ (which
> >> >> means
> >> >> >> that this is proxy) than it tell to module that this request is
> >> not a
> >> >> >> bussiness for them.
> >> >> >> Is it possible to do that somehow?
> >> >> >> I have found that r->proxyreq contains if the Request is Proxy or
> >> >> not.
> >> >> >>
> >> >> >> Thank you in advance
> >> >> >> --
> >> >> >> Best Regards / S pozdravem
> >> >> >> Petr Hracek
> >> >> >>
> >> >> >
> >> >> > Hello *,
> >> >> >
> >> >> > May be I have asked wrongly.
> >> >> >
> >> >> > How can I detect if the request from browser if Proxy or not?
> >> >> > How should I configure apache for that case?
> >> >> >
> >> >> > --
> >> >> > Best Regards / S pozdravem
> >> >> > Petr Hracek
> >> >> >
> >> >>
> >> >>
> >> >> --
> >> >> Jeffrey Burgoyne
> >> >> Chief Technology Officer
> >> >> KCSI Keenuh Consulting Services Inc
> >> >> www.keenuh.com
> >> >> burgoyne@keenuh.com
> >> >>
> >> >>
> >> >>
> >> >
> >> >
> >> > --
> >> > Best Regards / S pozdravem
> >> > Petr Hracek
> >> >
> >>
> >>
> >> --
> >> Jeffrey Burgoyne
> >> Chief Technology Officer
> >> KCSI Keenuh Consulting Services Inc
> >> www.keenuh.com
> >> burgoyne@keenuh.com
> >>
> >>
> >>
> >
> >
> > --
> > Best Regards / S pozdravem
> > Petr Hracek
> >
>
>
> --
> Jeffrey Burgoyne
> Chief Technology Officer
> KCSI Keenuh Consulting Services Inc
> www.keenuh.com
> burgoyne@keenuh.com
>
>
>
--
Best Regards / S pozdravem
Petr Hracek
--
Best Regards / S pozdravem
Petr Hracek
[Attachment #3 (text/html)]
<div class="gmail_quote">Authorization is based on username/password stored in \
database.<br>First of all I authenticate user and afterwards redirection is \
done.<br><br>I have following RewriteRule but it does not work at all.<div \
class="im"> <br>RewriteRule ^/([^/]+)$ ${unity:$1|/$1} \
[L]<br> RewriteRule ^/([^/]+)/(.*) ${unity:$1|/opt/apache/htdocs/ssldocs/$1}/$2 \
[L]<br></div>which is used for my module and<br>in location is:<br><Location \
"/PAC/"><br> ProxyPass <a \
href="http://192.168.187.150:8080/PACCBAdmin" \
target="_blank">http://192.168.187.150:8080/PACCBAdmin</a><br>
ProxyPassReverse <a href="http://192.168.187.150:8080/PACCBAdmin/" \
target="_blank">http://192.168.187.150:8080/PACCBAdmin/</a><div class="im"><br> \
ProxyPassReverseCookiePath /PACCBAdmin /PAC<br> Order \
Allow,Deny<br> Allow from all<br>
</Location><br><br></div>I hope that it is correct.<br>BR<div><div></div><div \
class="h5"><br>Petr<br><br><div class="gmail_quote">2010/4/23 Jeffrey E Burgoyne \
<span dir="ltr"><<a href="mailto:burgoyne@keenuh.com" \
target="_blank">burgoyne@keenuh.com</a>></span><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px \
solid rgb(204, 204, 204); padding-left: 1ex;">I think that would require two modules \
as the authorization and redirect<br> hooks happen at different phases. I've \
actually written modules for both<br> of these phases, it is pretty easy as far as \
modules go. And remember, the<br> authorization module will ALWAYS be called before \
the redirection modules,<br> so you already know if you hit your redirection module \
that authorization<br> was correct.<br>
<br>
You may not, however, have to write a module. You may be able to use one<br>
of the already provided auth modules plus mod_rewrite to do this.<br>
<br>
Now your authorization, is it based on a username/password, or some other<br>
restriction (i.e. connecting IP)?<br>
<br>
If username/password, is it basic authentication controlled? If not, I've<br>
no experience in that area. If it is, then what is the DB used?<br>
<div><div></div><div><br>
<br>
> Thanks but I forgott to mentioned that my module makes an authorization<br>
> against database and I would like to catch that if user access some proxy<br>
> than first of all he has to be authorized by my module and afterwards it<br>
> will be redirect to the proxy. Is it possible to do that somehow?<br>
><br>
> Thanks<br>
><br>
> 2010/4/23 Jeffrey E Burgoyne <<a href="mailto:burgoyne@keenuh.com" \
target="_blank">burgoyne@keenuh.com</a>><br> ><br>
>> I'm not using it in a specific module, although you easily could.<br>
>><br>
>> I'm not at work today, but it goes something like this :<br>
>><br>
>> I want to force all hits to go through our front end web server which<br>
>> acts<br>
>> as a reverse proxy to the back end apache server. The logic is if there<br>
>> is<br>
>> no X_FORWARDED_FOR (meaning it was not proxied), then redirect the hit<br>
>> to<br>
>> the front end reverse proxy server. I used the logic that if the<br>
>> X_FORWARDED_FOR did not start with 1-9 then it was not a valid proxied<br>
>> request :<br>
>><br>
>> RewriteCond %{X_FORWARDED_FOR} !^[1-9]<br>
>> RewriteRule /(.*) <a href="http://proxiedhost.ca/$1" \
target="_blank">http://proxiedhost.ca/$1</a> [R,L]<br> >><br>
>><br>
>> For your module you can access the headers from the request pool and<br>
>> look<br>
>> for X_FORWARDED_FOR.<br>
>><br>
>> Note it may be more complicated depending on your setup. Some load<br>
>> balancers put that value into the HTTP stream, so you may have to<br>
>> account<br>
>> for that. If it runs through multiple proxies (perhaps including a load<br>
>> balancer), the IP's will be list form comma seperated.<br>
>><br>
>> Note too I have DNS lookups off, so if you have them on I suspect you<br>
>> would get the DNS name, not the IP, but I cannot say with 100%<br>
>> certainty.<br>
>><br>
>><br>
>> for example,<br>
>><br>
>> if a client from 192.168.2.10 access 10.10.10.10, the web server sees :<br>
>><br>
>> connecting IP - 192.168.2.10<br>
>> X_FORWARDED_HEADER - blank<br>
>><br>
>> If the server at 10.10.10.10 proxies to 10.20.20.20 the web server at<br>
>> the<br>
>> .20 address sees :<br>
>><br>
>> connecting IP - 10.10.10.01<br>
>> X_FORWARDED_HEADER - 192.168.2.10<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>> > How do you have configured RewriteRule together with your own \
module?<br> >> > Could you please send me more details or example?<br>
>> ><br>
>> > Thanks<br>
>> > Petr<br>
>> ><br>
>> > 2010/4/23 Jeffrey E Burgoyne <<a href="mailto:burgoyne@keenuh.com" \
target="_blank">burgoyne@keenuh.com</a>><br> >> ><br>
>> >> I use the environment variable X_FORWARDED_FOR<br>
>> >><br>
>> >><br>
>> >> <a href="http://en.wikipedia.org/wiki/X-Forwarded-For" \
target="_blank">http://en.wikipedia.org/wiki/X-Forwarded-For</a><br> >> \
>><br> >> >><br>
>> >> with mod_rewrite to determine if it came via a proxy or not.<br>
>> >><br>
>> >> It may be of use to you.<br>
>> >><br>
>> >><br>
>> >><br>
>> >> > 2010/4/22 Petr Hracek <<a href="mailto:phracek2@gmail.com" \
target="_blank">phracek2@gmail.com</a>><br> >> >> ><br>
>> >> >> Hello *,<br>
>> >> >><br>
>> >> >> I hope that I am sending those question to the correct \
discussion<br> >> >> list.<br>
>> >> >><br>
>> >> >> In my Apache2 (2.2.3) configuration file I have:<br>
>> >> >> <VirtualHost _default_:443><br>
>> >> >> SSLEngine on<br>
>> >> >> DocumentRoot "/opt/apache/htdocs/ssldocs"<br>
>> >> >> ProxyPass /PAC/ <a \
href="http://192.168.187.101:8080/PACCBAdmin" \
target="_blank">http://192.168.187.101:8080/PACCBAdmin</a><br> >> >> \
>> ProxyPassReverse /PAC/<br> >> >> <a \
href="http://192.168.187.150:8080/PACCBAdmin/" \
target="_blank">http://192.168.187.150:8080/PACCBAdmin/</a><br> >> >> \
>> RewriteEngine on<br> >> >> >> RewriteCond \
%{REQUEST_METHOD} ^TRACE<br> >> >> >> RewriteRule .* - [F]<br>
>> >> >> RewriteMap unity txt:/opt/apache/conf/unity.map<br>
>> >> >> RewriteRule ^/([^/]+)$ ${unity:$1|/$1} \
[L]<br> >> >> >> RewriteRule ^/([^/]+)/(.*)<br>
>> >> ${unity:$1|/opt/apache/htdocs/ssldocs/$1}/$2<br>
>> >> >> [L]<br>
>> >> >> RewriteLog "/var/log/apache2/rewrite_log"<br>
>> >> >> RewriteLogLevel 3<br>
>> >> >><br>
>> >> >> <Location "/PAC/"><br>
>> >> >> ProxyPassReverseCookiePath /PACCBAdmin /PAC<br>
>> >> >> Order Allow,Deny<br>
>> >> >> Allow from all<br>
>> >> >> </Location><br>
>> >> >><br>
>> >> >> </VirtualHost><br>
>> >> >><br>
>> >> >> In the my modules which takes care about AAA, Security \
issues,<br> >> etc.<br>
>> >> >> I would like to catch in my module when URL contains /PAC/ \
(which<br> >> >> means<br>
>> >> >> that this is proxy) than it tell to module that this \
request is<br> >> not a<br>
>> >> >> bussiness for them.<br>
>> >> >> Is it possible to do that somehow?<br>
>> >> >> I have found that r->proxyreq contains if the Request \
is Proxy or<br> >> >> not.<br>
>> >> >><br>
>> >> >> Thank you in advance<br>
>> >> >> --<br>
>> >> >> Best Regards / S pozdravem<br>
>> >> >> Petr Hracek<br>
>> >> >><br>
>> >> ><br>
>> >> > Hello *,<br>
>> >> ><br>
>> >> > May be I have asked wrongly.<br>
>> >> ><br>
>> >> > How can I detect if the request from browser if Proxy or \
not?<br> >> >> > How should I configure apache for that case?<br>
>> >> ><br>
>> >> > --<br>
>> >> > Best Regards / S pozdravem<br>
>> >> > Petr Hracek<br>
>> >> ><br>
>> >><br>
>> >><br>
>> >> --<br>
>> >> Jeffrey Burgoyne<br>
>> >> Chief Technology Officer<br>
>> >> KCSI Keenuh Consulting Services Inc<br>
>> >> <a href="http://www.keenuh.com" \
target="_blank">www.keenuh.com</a><br> >> >> <a \
href="mailto:burgoyne@keenuh.com" target="_blank">burgoyne@keenuh.com</a><br> \
>> >><br> >> >><br>
>> >><br>
>> ><br>
>> ><br>
>> > --<br>
>> > Best Regards / S pozdravem<br>
>> > Petr Hracek<br>
>> ><br>
>><br>
>><br>
>> --<br>
>> Jeffrey Burgoyne<br>
>> Chief Technology Officer<br>
>> KCSI Keenuh Consulting Services Inc<br>
>> <a href="http://www.keenuh.com" target="_blank">www.keenuh.com</a><br>
>> <a href="mailto:burgoyne@keenuh.com" \
target="_blank">burgoyne@keenuh.com</a><br> >><br>
>><br>
>><br>
><br>
><br>
> --<br>
> Best Regards / S pozdravem<br>
> Petr Hracek<br>
><br>
<br>
<br>
</div></div>--<br>
<div><div></div><div>Jeffrey Burgoyne<br>
Chief Technology Officer<br>
KCSI Keenuh Consulting Services Inc<br>
<a href="http://www.keenuh.com" target="_blank">www.keenuh.com</a><br>
<a href="mailto:burgoyne@keenuh.com" target="_blank">burgoyne@keenuh.com</a><br>
<br>
<br>
</div></div></blockquote></div><br><br clear="all"><br></div></div>-- \
<br><div><div></div><div class="h5">Best Regards / S pozdravem<br>Petr Hracek<br> \
</div></div></div><br><br clear="all"><br>-- <br>Best Regards / S pozdravem<br>Petr \
Hracek<br>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic