You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rici Lake <ri...@ricilake.net> on 2005/01/19 16:49:29 UTC

ProxyRemoteMatch brokenness

The ProxyRemoteMatch directive is supposed to use a regex to redirect 
certain proxy requests to a remote proxy server (as I understand the 
documentation). I actually needed that for a configuration (see below) 
and was puzzled to find that it doesn't work: (line numbers from 
APACHE_2_0_BRANCH, because I can't find a web interface to svn)

389 :  p2 = ap_strchr_c(ents[i].scheme, ':');  /* is it a partial URL? 
*/
390 :  if (strcmp(ents[i].scheme, "*") == 0 ||
391 :      (ents[i].use_regex && ap_regexec(ents[i].regexp, url, 
0,NULL, 0)) ||
392 :      (p2 == NULL && strcasecmp(scheme, ents[i].scheme) == 0) ||
393 :      (p2 != NULL &&
394 :       strncasecmp(url, ents[i].scheme, strlen(ents[i].scheme)) == 
0)) {

ap_regexec returns 0 on success, so the condition in line 391 matches 
if the regex didn't match, which is the reverse of the expected 
behaviour. Changing line 391 to

391 :      (ents[i].use_regex && ap_regexec(ents[i].regexp, url, 
0,NULL, 0) == 0) ||

produced the expected behaviour [1].

This code seems to have been unchanged since the directive was 
introduced in 2.0.35, almost three years ago, and I cannot find any 
relevant bug reports; in fact, googling for ProxyRemoteMatch did not 
yield any indication that anyone has ever tried to use the directive, 
much less succeeded. This would seem to be a reasonable case for 
deleting the directive, although I am now using it (with a patched 
httpd, of course) so I would be slightly resistant to this.

The particular configuration I'm using is to tunnel http and https 
through an ssh tunnel to a gateway machine inside a firewalled network; 
the relevant hostnames are not in the external DNS, of course, so I 
wanted to proxy only requests which match the internal domain suffix. 
This is not a feature of any browser I know of; browsers seem to have 
proxy exceptions rather than proxy affirmations. So I ended up with two 
proxy servers, one on a gateway in my local network, and another one on 
the gateway in the remote network; the two gateways are connected 
through an ssh tunnel:

Local gateway:

   ProxyRequests On
   <Proxy *>
     Order allow,deny
     allow from 10.
   </Proxy>
   ProxyRemoteMatch ^(http://)?[^/]*.internal.dns.suffix 
http://localhost:8888
   # (http://)? is to also allow proxying of CONNECT. Surprisingly, it 
works.

Remote gateway (separate apache instance, this is almost the entire 
config file):

   Listen localhost:8888
   ProxyRequests On
   AllowCONNECT <various ports listening for https>

where the ssh tunnel connects port 8888 on the local gateway to 
localhost:8888 on the remote gateway.

If anyone has a better way of accomplishing this, I'll withdraw my 
objection to deprecating ProxyRemoteMatch.


-------------------------------------------

[1]: I would personally have written that code somewhat differently to 
avoid doing non-regex matches in the regex case:

   if (ents[i].use_regex) {
      if (ap_regexec(ents[i].regexp, url, 0, NULL, 0) != 0) continue;
   } else if (strcmp(ents[i].scheme, "*") != 0) {
      if (ap_strchr_c(ents[i].scheme, ':') == 0) {
          if (strcasecmp(scheme, ents[i].scheme) != 0) continue;
      } else {
          if (strncasecmp(url, ents[i].scheme, strlen(ents[i].scheme) != 
0) continue;
      }
   }
   /* if we get here, we've got a match */