You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Asplund Marko <ma...@ixonos.com> on 2012/01/14 09:35:38 UTC

[users@httpd] mod_rewrite access control configuration

Hi,

I'm using Apache httpd to act as a reverse proxy and I'd like to block
access to all but explicitly listed resources.
I've come up with two possible solutions that i'd like to check with more
experienced mod_rewrite users.

Is there any difference between the two approaches below from performance
or other points of view?
I expect the set of allowed resources to be probably below 30.
I'm also planning on employing other Apache modules in the proxy such as
mod_cache and possibly mod_security.

# method A: one rule with several conditions.
# allow access to resources starting with /foo/, /bar/ or /baz/; block
others
RewriteCond %{REQUEST_URI} ^/foo/ [OR]
RewriteCond %{REQUEST_URI} ^/bar/ [OR]
RewriteCond %{REQUEST_URI} ^/baz/
RewriteRule  ^ - [P]

RewriteRule ^ - [F]

# method B, multiple rules without conditions
     
# allow access to resources starting with /foo/, /bar/ or /baz/; block
others
RewriteRule ^/foo/ - [P]
RewriteRule ^/bar/ - [P]
RewriteRule ^/baz/ - [P]
RewriteRule ^ - [F]


All requests are currently proxied to the backend server simply using:


ProxyPass / ajp://127.0.0.1:8009/


marko


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_rewrite access control configuration

Posted by Jeroen Geilman <je...@adaptr.nl>.

On 01/14/2012 09:35 AM, Asplund Marko wrote:
> Hi,
>
> I'm using Apache httpd to act as a reverse proxy and I'd like to block
> access to all but explicitly listed resources.
> I've come up with two possible solutions that i'd like to check with more
> experienced mod_rewrite users.
>
> Is there any difference between the two approaches below from performance
> or other points of view?
> I expect the set of allowed resources to be probably below 30.
> I'm also planning on employing other Apache modules in the proxy such as
> mod_cache and possibly mod_security.
>
> # method A: one rule with several conditions.
> # allow access to resources starting with /foo/, /bar/ or /baz/; block
> others
> RewriteCond %{REQUEST_URI} ^/foo/ [OR]
> RewriteCond %{REQUEST_URI} ^/bar/ [OR]
> RewriteCond %{REQUEST_URI} ^/baz/
> RewriteRule  ^ - [P]
>
> RewriteRule ^ - [F]
>
> # method B, multiple rules without conditions
>
> # allow access to resources starting with /foo/, /bar/ or /baz/; block
> others
> RewriteRule ^/foo/ - [P]
> RewriteRule ^/bar/ - [P]
> RewriteRule ^/baz/ - [P]
> RewriteRule ^ - [F]
>
>
> All requests are currently proxied to the backend server simply using:
>
>
> ProxyPass / ajp://127.0.0.1:8009/
>
>

Rewrite and Proxypass are not related.
Why exactly are you using RewriteRules for this ?

-- 
J.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_rewrite access control configuration

Posted by Tom Evans <te...@googlemail.com>.

On Sat, Jan 14, 2012 at 8:35 AM, Asplund Marko <ma...@ixonos.com> wrote:
> Hi,
>
> I'm using Apache httpd to act as a reverse proxy and I'd like to block
> access to all but explicitly listed resources.
> I've come up with two possible solutions that i'd like to check with more
> experienced mod_rewrite users.
>
> Is there any difference between the two approaches below from performance
> or other points of view?
> I expect the set of allowed resources to be probably below 30.
> I'm also planning on employing other Apache modules in the proxy such as
> mod_cache and possibly mod_security.
>
> # method A: one rule with several conditions.
> # allow access to resources starting with /foo/, /bar/ or /baz/; block
> others
> RewriteCond %{REQUEST_URI} ^/foo/ [OR]
> RewriteCond %{REQUEST_URI} ^/bar/ [OR]
> RewriteCond %{REQUEST_URI} ^/baz/
> RewriteRule  ^ - [P]
>
> RewriteRule ^ - [F]
>
> # method B, multiple rules without conditions
>
> # allow access to resources starting with /foo/, /bar/ or /baz/; block
> others
> RewriteRule ^/foo/ - [P]
> RewriteRule ^/bar/ - [P]
> RewriteRule ^/baz/ - [P]
> RewriteRule ^ - [F]
>
>
> All requests are currently proxied to the backend server simply using:
>
>
> ProxyPass / ajp://127.0.0.1:8009/
>
>
> marko
>

If you don't want to proxy certain URLs, then instruct mod_proxy not
to proxy them:

ProxyPass /foo !
ProxyPass /bar !
ProxyPass /baz !
ProxyPass / ajp://127.0.0.1:8009/

No need to be messing with rewrite rules.

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org