[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-users
Subject: [users@httpd] Re: ProxyPass OK, but not ProxyPassMatch for favicon.ico
From: "Scott A. Wozny" <sawozny () hotmail ! com>
Date: 2021-01-04 22:10:11
Message-ID: BLAPR06MB7011E697B9A9B7D52DBD2677A8D20 () BLAPR06MB7011 ! namprd06 ! prod ! outlook ! com
[Download RAW message or body]
OK, so I figured out what=92s going on, but it has opened up a whole new my=
stery for me.
I took a look at the back-end server logs and for everything that was =93wo=
rking=94 I found that, for a config line like this:
ProxyPassMatch "^/login$" balancer://webfarm/login.php
A request to https://servername/login produced an access_log entry like thi=
s:
"GET /login.php/login HTTP/1.1" 200 610 "-" "Mozilla/5.0 (X11; Ubuntu; Linu=
x x86_64; rv:84.0) Gecko/20100101 Firefox/84.0"
So, why this works, is a mystery to me, but I do get /login.php run and ret=
urned (and also /login in the $_SERVER superglobal PATH_INFO variable).
But, when I use the config line of:
ProxyPassMatch "^/favicon.ico$" balancer://webfarm/favicon.ico
I get an access_log entry of:
"GET /favicon.ico/favicon.ico HTTP/1.1" 404 221 "https://servername/server"=
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/8=
4.0"
So I guess Apache knows to pass the first example the PHP file to the PHP-F=
PM interpreter even with extraneous trailing data, but not to return the fa=
vicon.ico file when asked for /favicon.ico/favicon.ico. Since I don't know=
how the first example is working, I guess I can't be too upset about the s=
econd example not working at all.
Anyway, that explains my 404 on requests for favicon.ico when using ProxyPa=
ssMatch. But it now raises the question of why the reverse proxy is doing t=
aking the "front-end" URI onto the "back-end" URL. According to https://htt=
pd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch =93The supplie=
d regular expression is matched against the url, and if it matches, the ser=
ver will substitute any parenthesized matches into the given string and use=
it as a new url.=94 So, to my understanding, since I didn=92t provide any =
parenthesized matches, I wouldn=92t expect it to tag anything onto the URL =
sent to the back-end server, yet it does. It tags on the entire RegEx.
So what I can do is rework my ProxyPassMatch lines with parens and things w=
ork as described like:
ProxyPassMatch "^/(login)$" balancer://webfarm/$1.php
ProxyPassMatch "^/(favicon.ico)$" balancer://webfarm/$1
But why does ProxyPassMatch force the RegEx onto the end of the proxied URL=
when I don=92t use parentheses. Am I doing something wrong or is this a bu=
g?
Thanks in advance for any suggestions,
Scott
________________________________
From: Scott A. Wozny <sawozny@hotmail.com>
Sent: January 3, 2021 5:45 PM
To: users@httpd.apache.org <users@httpd.apache.org>
Subject: [users@httpd] ProxyPass OK, but not ProxyPassMatch for favicon.ico
I=92m configuring a reverse proxy in stages. Initially, I just wanted to se=
e if the proxying would work, so In a virtual server, I set up a Proxy bala=
ncer://webfarm with a couple BalancerMembers inside and an lbmethod of byre=
quests. Then I used a:
ProxyPass / balancer://webfarm
to make sure I could get to the content on the back end server and it all w=
orked fine. If a file was accessible on the back-end, I would get it back.
Then, to lock things down further, I removed the prefix-based ProxyPass lin=
e and replaced it with a series of:
ProxyPassMatch "^/pagename$" balancer://webfarm/pagename.php
lines for each page followed by a:
ProxyPass / !
to send everything not explicitly allowed a 404. This all works fine.
Checking my logs I saw favicon.ico was getting sent 404s on the proxy serve=
r, so I added a line to my config with the other allowed elements:
ProxyPassMatch "^/favicon.ico$" balancer://webfarm/favicon.ico
but after restarting Apache, I still get 404s. Thinking there may be someth=
ing trailing or following that I can=92t see, I tried:
ProxyPassMatch "favicon.ico" balancer://webfarm/favicon.ico
restarted and still 404s. The only way I can make it work is with
ProxyPass /favicon.ico balancer://webfarm/favicon.ico
which, while not the end of the world, is inconsistent with my overall lock=
down strategy so I=92m wondering if anyone can tell me where I went wrong. =
I haven=92t gotten to the allow-list for my images yet, but I=92m worried I=
=92m going to have the same problem with them.
Also, I know the ProxyPassMatch line is definitely matching for favicon.ico=
because even if I put the ProxyPass / that passes everything to the back-e=
nd server back into the config, if it=92s below the ProxyPassMatch line for=
favicon.ico I still get a 404.
Thanks,
Scott
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <p style="margin-bottom:0in;line-height:100%">OK, so I figured out \
what’s going on, but it has opened up a whole new mystery for me.</p> <p \
style="margin-bottom:0in;line-height:100%"><br> </p>
<p style="margin-bottom:0in;line-height:100%">I took a look at the back-end server \
logs and for everything that was “working” I found that, for a config line like this: \
</p> <p style="margin-bottom:0in;line-height:100%"><br>
</p>
<p style="margin-bottom:0in;line-height:100%">ProxyPassMatch "^/login$" \
balancer://webfarm/login.php</p> <p style="margin-bottom:0in;line-height:100%"><br>
</p>
<p style="margin-bottom:0in;line-height:100%">A request to <a \
href="https://servername/login"> https://servername/login</a> produced an access_log \
entry like this:</p> <p style="margin-bottom:0in;line-height:100%"><br>
</p>
<p style="margin-bottom:0in;line-height:100%">"GET /login.php/login \
HTTP/1.1" 200 610 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; \
rv:84.0) Gecko/20100101 Firefox/84.0"</p> <p \
style="margin-bottom:0in;line-height:100%"><br> </p>
<p style="margin-bottom:0in;line-height:100%">So, why this works, is a mystery to me, \
but I do get /login.php run and returned (and also /login in the $_SERVER superglobal \
PATH_INFO variable).</p> <p style="margin-bottom:0in;line-height:100%"><br>
</p>
<p style="margin-bottom:0in;line-height:100%">But, when I use the config line of:</p>
<p style="margin-bottom:0in;line-height:100%"><br>
</p>
<p style="margin-bottom:0in;line-height:100%">ProxyPassMatch \
"^/favicon.ico$" balancer://webfarm/favicon.ico</p> <p \
style="margin-bottom:0in;line-height:100%"><br> </p>
<p style="margin-bottom:0in;line-height:100%">I get an access_log entry of:</p>
<p style="margin-bottom:0in;line-height:100%"><br>
</p>
<p style="margin-bottom:0in;line-height:100%">"GET /favicon.ico/favicon.ico \
HTTP/1.1" 404 221 "https://servername/server" "Mozilla/5.0 (X11; \
Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0"</p> <p \
style="margin-bottom:0in;line-height:100%"><br> </p>
<p style="margin-bottom:0in;line-height:100%">So I guess Apache knows to pass the \
first example the PHP file to the PHP-FPM interpreter even with extraneous trailing \
data, but not to return the favicon.ico file when asked for \
/favicon.ico/favicon.ico. Since I don't know how the first example is working, \
I guess I can't be too upset about the second example not working at all.<br> </p>
<p style="margin-bottom:0in;line-height:100%"><br>
</p>
<p style="margin-bottom:0in;line-height:100%">Anyway, that explains my 404 on \
requests for favicon.ico when using ProxyPassMatch. But it now raises the question of \
why the reverse proxy is doing taking the "front-end" URI onto the \
"back-end" URL. According to <a \
href="https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch"> \
https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch</a> “The \
supplied regular expression is matched against the url, and if it matches, the server \
will substitute any parenthesized matches into the given string and use it as a new \
url.” So, to my understanding, since I didn’t provide any parenthesized matches, I \
wouldn’t expect it to tag anything onto the URL sent to the back-end server, yet it \
does. It tags on the entire RegEx.</p> <p \
style="margin-bottom:0in;line-height:100%"><br> </p>
<p style="margin-bottom:0in;line-height:100%">So what I can do is rework my \
ProxyPassMatch lines with parens and things work as described like:</p> <p \
style="margin-bottom:0in;line-height:100%"><br> </p>
<p style="margin-bottom:0in;line-height:100%">ProxyPassMatch "^/(login)$" \
balancer://webfarm/$1.php</p> <p \
style="margin-bottom:0in;line-height:100%">ProxyPassMatch \
"^/(favicon.ico)$" balancer://webfarm/$1</p> <p \
style="margin-bottom:0in;line-height:100%"><br> </p>
<p style="margin-bottom:0in;line-height:100%">But why does ProxyPassMatch force the \
RegEx onto the end of the proxied URL when I don’t use parentheses. Am I doing \
something wrong or is this a bug?</p> <p \
style="margin-bottom:0in;line-height:100%"><br> </p>
<p style="margin-bottom:0in;line-height:100%">Thanks in advance for any \
suggestions,</p> <p style="margin-bottom:0in;line-height:100%"><br>
</p>
<p style="margin-bottom:0in;line-height:100%">Scott</p>
<br>
</div>
<div>
<div id="appendonsend"></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, \
sans-serif" color="#000000"><b>From:</b> Scott A. Wozny \
<sawozny@hotmail.com><br> <b>Sent:</b> January 3, 2021 5:45 PM<br>
<b>To:</b> users@httpd.apache.org <users@httpd.apache.org><br>
<b>Subject:</b> [users@httpd] ProxyPass OK, but not ProxyPassMatch for \
favicon.ico</font> <div> </div>
</div>
<div dir="ltr">
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; \
line-height:100%"> I’m configuring a reverse proxy in stages. Initially, I just \
wanted to see if the proxying would work, so In a virtual server, I set up a Proxy \
balancer://webfarm with a couple BalancerMembers inside and an lbmethod of \
byrequests. Then I used a: </p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
ProxyPass / balancer://webfarm </p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
to make sure I could get to the content on the back end server and it all worked \
fine. If a file was accessible on the back-end, I would get it back. </p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
Then, to lock things down further, I removed the prefix-based ProxyPass line and \
replaced it with a series of: </p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
ProxyPassMatch "^/pagename$" balancer://webfarm/pagename.php </p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
lines for each page followed by a: </p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
ProxyPass / ! </p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
to send everything not explicitly allowed a 404. This all works fine. </p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
Checking my logs I saw favicon.ico was getting sent 404s on the proxy server, so I \
added a line to my config with the other allowed elements: </p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
ProxyPassMatch "^/favicon.ico$" balancer://webfarm/favicon.ico </p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
but after restarting Apache, I still get 404s. Thinking there may be something \
trailing or following that I can’t see, I tried: </p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
ProxyPassMatch "favicon.ico" balancer://webfarm/favicon.ico </p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
restarted and still 404s. The only way I can make it work is with </p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
ProxyPass /favicon.ico balancer://webfarm/favicon.ico </p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
which, while not the end of the world, is inconsistent with my overall lockdown \
strategy so I’m wondering if anyone can tell me where I went wrong. I haven’t gotten \
to the allow-list for my images yet, but I’m worried I’m going to have the same \
problem with them.</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
Also, I know the ProxyPassMatch line is definitely matching for favicon.ico because \
even if I put the ProxyPass / that passes everything to the back-end server back into \
the config, if it’s below the ProxyPassMatch line for favicon.ico I still get a \
404.</p> <p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; \
line-height:100%"> <br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
Thanks,</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-bottom:0in; line-height:100%">
Scott</p>
<br>
</div>
</div>
</div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic