You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rici Lake <ri...@ricilake.net> on 2005/01/19 16:49:29 UTC
ProxyRemoteMatch brokenness
The ProxyRemoteMatch directive is supposed to use a regex to redirect
certain proxy requests to a remote proxy server (as I understand the
documentation). I actually needed that for a configuration (see below)
and was puzzled to find that it doesn't work: (line numbers from
APACHE_2_0_BRANCH, because I can't find a web interface to svn)
389 : p2 = ap_strchr_c(ents[i].scheme, ':'); /* is it a partial URL?
*/
390 : if (strcmp(ents[i].scheme, "*") == 0 ||
391 : (ents[i].use_regex && ap_regexec(ents[i].regexp, url,
0,NULL, 0)) ||
392 : (p2 == NULL && strcasecmp(scheme, ents[i].scheme) == 0) ||
393 : (p2 != NULL &&
394 : strncasecmp(url, ents[i].scheme, strlen(ents[i].scheme)) ==
0)) {
ap_regexec returns 0 on success, so the condition in line 391 matches
if the regex didn't match, which is the reverse of the expected
behaviour. Changing line 391 to
391 : (ents[i].use_regex && ap_regexec(ents[i].regexp, url,
0,NULL, 0) == 0) ||
produced the expected behaviour [1].
This code seems to have been unchanged since the directive was
introduced in 2.0.35, almost three years ago, and I cannot find any
relevant bug reports; in fact, googling for ProxyRemoteMatch did not
yield any indication that anyone has ever tried to use the directive,
much less succeeded. This would seem to be a reasonable case for
deleting the directive, although I am now using it (with a patched
httpd, of course) so I would be slightly resistant to this.
The particular configuration I'm using is to tunnel http and https
through an ssh tunnel to a gateway machine inside a firewalled network;
the relevant hostnames are not in the external DNS, of course, so I
wanted to proxy only requests which match the internal domain suffix.
This is not a feature of any browser I know of; browsers seem to have
proxy exceptions rather than proxy affirmations. So I ended up with two
proxy servers, one on a gateway in my local network, and another one on
the gateway in the remote network; the two gateways are connected
through an ssh tunnel:
Local gateway:
ProxyRequests On
<Proxy *>
Order allow,deny
allow from 10.
</Proxy>
ProxyRemoteMatch ^(http://)?[^/]*.internal.dns.suffix
http://localhost:8888
# (http://)? is to also allow proxying of CONNECT. Surprisingly, it
works.
Remote gateway (separate apache instance, this is almost the entire
config file):
Listen localhost:8888
ProxyRequests On
AllowCONNECT <various ports listening for https>
where the ssh tunnel connects port 8888 on the local gateway to
localhost:8888 on the remote gateway.
If anyone has a better way of accomplishing this, I'll withdraw my
objection to deprecating ProxyRemoteMatch.
-------------------------------------------
[1]: I would personally have written that code somewhat differently to
avoid doing non-regex matches in the regex case:
if (ents[i].use_regex) {
if (ap_regexec(ents[i].regexp, url, 0, NULL, 0) != 0) continue;
} else if (strcmp(ents[i].scheme, "*") != 0) {
if (ap_strchr_c(ents[i].scheme, ':') == 0) {
if (strcasecmp(scheme, ents[i].scheme) != 0) continue;
} else {
if (strncasecmp(url, ents[i].scheme, strlen(ents[i].scheme) !=
0) continue;
}
}
/* if we get here, we've got a match */