You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "John S. Wolter" <jo...@wolterworks.com> on 2005/03/27 06:46:10 UTC
[users@httpd] SUSE 9.2 Apache 2.0.50 Rewrite problem
I may have a subtle Apache(2.0.5) Rewrite error I can't backtrack. I'm not sure I'm
getting out of the Apache environment. I'm using the Apache Rewrite inside a VirtualHost>
to a Zope.org content management system folder /wwservice declared as / at the same IP but
port 8080. It works like most Rewrites directing a URL to another. I'm using a technique
documented in http://www.zope.org/Members/lams/HowTo.2004-05-17.0444, "Installing and
configuring Zope 2.7 with VHM, apache 2 and rewrite rules".
I'm getting a Forbidden 403, "You don't have permission to access / on this server",
message after the Rewrite activity. I look in the Rewrite log and it is rewriting for
IP:8080/wwservice. Where is it being sent? LINUX filesystem? Zope? I don't think it is
getting to Zope as I can see the Rewrite log entries action but nothing added to Zope's
access Z2.log. No action there like it never arrived at IP:8080.
Here's the result from the rewrite log:
"go-ahead with proxy request
proxy:http:/xxx.xxx.xxx.xxx:8080/VirtualHostBase/http/wwsrv01.my.net/wwservice/VirtualHostRoot/
[OK]" The important part is proxy:http:/xxx.xxx.xxx.xxx:8080/ , xxx.. being a real IP
address. Next I get another error...
Here's the interesting part, I get an error for the error report like this:
"Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument
to handle the request." Sounds like Apache? I'm wondering about deny, allow problems but
I haven't seen any yet.
I can get to Zope successfully by invoked the service using
http://xxx.xxx.xxx.xxx:8080/wwservice, the standard Zope main page comes up without a problem.
I'm guessing it's something within the Apache setup. Any ideas?
--
------------ Wolter Works - Always Innovating -------------
- Industry and Commerce Internet Invention & Innovation
- Internet Marketing Product Concepts & Implementation
mailto:johnswolter@wolterworks.com
John Wolter, President
1531 Jones Drive
Ann Arbor, MI 48105-1871 USA
1-734-665-1263
Copyright 2004 John S. Wolter
Neither this information block, the typed name of the sender,
nor anything else in this message is intended to constitute an
electronic signature unless a specific statement to the contrary
is included in this message.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SUSE 9.2 Apache 2.0.50 Rewrite problem[SOLVED]
Posted by "John S. Wolter" <jo...@wolterworks.com>.
Johnua:
Here's an article I just came across on reverse proxies:
http://wwwapacheweek.com/features/reverseproxies
>On Mon, 28 Mar 2005 12:04:36 -0500, John S. Wolter
><jo...@wolterworks.com> wrote:
>
>
>>I then undertook to examine all of SUSE's LINUX Pro 9.2's 28 Apache
>>.conf files. I found that ProxyRequests is by default turned off,
>>turning it On it works. Simple. Off is SUSE's default but I do not know
>>if that is the Apache distribution default. While exploring the
>>Rewriting, and now Proxy, issue I came across a couple of books that
>>covered Apache security. One issue that all discussed is preventing
>>Apache's proxy from being used as an open relay.
>>
>>
>
>You do *not* need "ProxyRequests On" to create a reverse proxy. This
>may, in fact, make things work for you, but it is not the "correct"
>sollution. There must be another problem in your config.
>
>Joshua.
>
>
>
--
------------ Wolter Works - Always Innovating -------------
- Industry and Commerce Internet Invention & Innovation
- Internet Marketing Product Concepts & Implementation
mailto:johnswolter@wolterworks.com
John Wolter, President
1531 Jones Drive
Ann Arbor, MI 48105-1871 USA
1-734-665-1263
Copyright 2004 John S. Wolter
Neither this information block, the typed name of the sender,
nor anything else in this message is intended to constitute an
electronic signature unless a specific statement to the contrary
is included in this message.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SUSE 9.2 Apache 2.0.50 Rewrite problem[SOLVED]
Posted by Joshua Slive <js...@gmail.com>.
On Mon, 28 Mar 2005 12:04:36 -0500, John S. Wolter
<jo...@wolterworks.com> wrote:
> I then undertook to examine all of SUSE's LINUX Pro 9.2's 28 Apache
> .conf files. I found that ProxyRequests is by default turned off,
> turning it On it works. Simple. Off is SUSE's default but I do not know
> if that is the Apache distribution default. While exploring the
> Rewriting, and now Proxy, issue I came across a couple of books that
> covered Apache security. One issue that all discussed is preventing
> Apache's proxy from being used as an open relay.
You do *not* need "ProxyRequests On" to create a reverse proxy. This
may, in fact, make things work for you, but it is not the "correct"
sollution. There must be another problem in your config.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SUSE 9.2 Apache 2.0.50 Rewrite problem[SOLVED]
Posted by "John S. Wolter" <jo...@wolterworks.com>.
Thank you to all that respond with information, it all made a
difference. My last experiment proved it had to be something with the
Apache package. Basically I did a literal Rewrite with no translation
required just take the replacement URL :
http://xxx.xxx.xxx.xxx:8080/VirtualHostBase/http/wwservice.my.net:80/wwservice/VirtualHostRoot/
[L,P] and let it go. It failed to arrive at Zope's port.
I then undertook to examine all of SUSE's LINUX Pro 9.2's 28 Apache
.conf files. I found that ProxyRequests is by default turned off,
turning it On it works. Simple. Off is SUSE's default but I do not know
if that is the Apache distribution default. While exploring the
Rewriting, and now Proxy, issue I came across a couple of books that
covered Apache security. One issue that all discussed is preventing
Apache's proxy from being used as an open relay.
Open relay proxying can be prevented of course by turning ProxyRequests
Off but for proxying Zope's URL it has to be turned On, however other
security measures are possible. One way is use a <Proxy wildcard-url>
directive to place access restrictions like this
<Proxy *>
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx <---Define your local network or as you please.
</Proxy>
Add some firewall configuration and possibly using Nick Kew's mod's, see
below, and you will have a number of security and access options.
Back to the issue at hand. Apache's mod_rewrite module does a rewrite
and then puts that through mod_proxy. The RewriteLog and
RewriteLogLevel commands allow observation of mod_rewrite's processing
results. When finished the URL needed to look like this:
proxy:http://xxx.xxx.xxx.xxx:8080/wwservice/ which proceeds in this case
to Zope's port.
SUSE's YaST configuration utility, now GPL'ed, can be somewhat awkward
for Apache configuration and testing. It is possible to directly access
its programs with the line yast <program>. That should reduce the
change, run, test, & read logs cycle times with the addition of some
very simple scripts. The configuration files are held in /etc/apache2
with Apache information in /usr/share/doc/packages/apache2. Logging
files are kept in /var/log/apache2. SUSE's httpd.conf file suggests the
creation of httpd.conf.local which is included at the end of the
standard .conf file. That file should outlast any system upgrades. I
placed the needed ProxyRequests and <Proxy ...> directive and commands
in this local file. An alternative to the local file is to do all
Apache configuration in the traditional manner using your favorite editor.
As a last comment I will have to spend the time to obtain the
documentation for each of the modules in the configuration to see how
they will affect interaction with Apache and Zope. Thank you for all
your help.
REFERENCES ONLINE:
mod_proxy ---> http://httpd.apache.org/docs-2.0/mod/mod_proxy.html
Nick Kew -----> http://apache.webthing.com
Apache Week --> http://www.apacheweek.com
BOOKS:
Apache:The Definitive Guide, Ben & Pete Laurie; Very good but not as
complete as I hoped
Pro Apache, Peter Wainwrite; A wealth of practical examples and insights
Hardening Apache, Tony Mobily; Just that, security issues
>On Sat, 26 Mar 2005 23:46:10 -0500, John S. Wolter
><jo...@wolterworks.com> wrote:
>
>
>>I may have a subtle Apache(2.0.5) Rewrite error I can't backtrack. I'm not sure I'm
>>getting out of the Apache environment. I'm using the Apache Rewrite inside a VirtualHost>
>>to a Zope.org content management system folder /wwservice declared as / at the same IP but
>>port 8080. It works like most Rewrites directing a URL to another. I'm using a technique
>>documented in http://www.zope.org/Members/lams/HowTo.2004-05-17.0444, "Installing and
>>configuring Zope 2.7 with VHM, apache 2 and rewrite rules".
>>
>>I'm getting a Forbidden 403, "You don't have permission to access / on this server",
>>message after the Rewrite activity. I look in the Rewrite log and it is rewriting for
>>IP:8080/wwservice. Where is it being sent? LINUX filesystem? Zope? I don't think it is
>>getting to Zope as I can see the Rewrite log entries action but nothing added to Zope's
>>access Z2.log. No action there like it never arrived at IP:8080.
>>
>>
>
>It might help to provide more complete excerpts from the error_log and
>RewriteLog.
>
>Joshua.
>
>
>
--
------------ Wolter Works - Always Innovating -------------
- Industry and Commerce Internet Invention & Innovation
- Internet Marketing Product Concepts & Implementation
mailto:johnswolter@wolterworks.com
John Wolter, President
1531 Jones Drive
Ann Arbor, MI 48105-1871 USA
1-734-665-1263
Copyright 2004 John S. Wolter
Neither this information block, the typed name of the sender,
nor anything else in this message is intended to constitute an
electronic signature unless a specific statement to the contrary
is included in this message.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SUSE 9.2 Apache 2.0.50 Rewrite problem
Posted by Joshua Slive <js...@gmail.com>.
On Sat, 26 Mar 2005 23:46:10 -0500, John S. Wolter
<jo...@wolterworks.com> wrote:
> I may have a subtle Apache(2.0.5) Rewrite error I can't backtrack. I'm not sure I'm
> getting out of the Apache environment. I'm using the Apache Rewrite inside a VirtualHost>
> to a Zope.org content management system folder /wwservice declared as / at the same IP but
> port 8080. It works like most Rewrites directing a URL to another. I'm using a technique
> documented in http://www.zope.org/Members/lams/HowTo.2004-05-17.0444, "Installing and
> configuring Zope 2.7 with VHM, apache 2 and rewrite rules".
>
> I'm getting a Forbidden 403, "You don't have permission to access / on this server",
> message after the Rewrite activity. I look in the Rewrite log and it is rewriting for
> IP:8080/wwservice. Where is it being sent? LINUX filesystem? Zope? I don't think it is
> getting to Zope as I can see the Rewrite log entries action but nothing added to Zope's
> access Z2.log. No action there like it never arrived at IP:8080.
It might help to provide more complete excerpts from the error_log and
RewriteLog.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SUSE 9.2 Apache 2.0.50 Rewrite problem
Posted by g....@itcilo.org.
"John S. Wolter" <jo...@wolterworks.com> wrote on 27/03/2005
06.46.10:
> I may have a subtle Apache(2.0.5) Rewrite error I can't backtrack.
> I'm getting a Forbidden 403, "You don't have permission to access /
> on this server",
> message after the Rewrite activity. I look in the Rewrite log and
> it is rewriting for
> IP:8080/wwservice. Where is it being sent? LINUX filesystem? Zope?
> I don't think it is
> getting to Zope as I can see the Rewrite log entries action but
> nothing added to Zope's
> access Z2.log. No action there like it never arrived at IP:8080.
>
> Here's the result from the rewrite log:
>
> "go-ahead with proxy request
> proxy:http:/xxx.xxx.xxx.xxx:8080/VirtualHostBase/http/wwsrv01.my.
> net/wwservice/VirtualHostRoot/
>
> [OK]" The important part is proxy:http:/xxx.xxx.xxx.xxx:8080/ ,
> xxx.. being a real IP
> address. Next I get another error...
>
> Here's the interesting part, I get an error for the error report like
this:
>
> "Additionally, a 403 Forbidden error was encountered while trying to
> use an ErrorDocument
> to handle the request." Sounds like Apache? I'm wondering about
> deny, allow problems but
> I haven't seen any yet.
>
> I can get to Zope successfully by invoked the service using
> http://xxx.xxx.xxx.xxx:8080/wwservice, the standard Zope main page
> comes up without a problem.
>
> I'm guessing it's something within the Apache setup. Any ideas?
Could you copy your virtual host configuration, especially the rewriten
rules?
When typing the final address, i.e
"http:/xxx.xxx.xxx.xxx:8080/VirtualHostBase/http/wwsrv01.my.net/wwservice/VirtualHostRoot/"
how is it showing up? You said that the layout is missing: where is this
layout physically, i.e in which zope folder? The same as your Plone site?
Regards
Gaƫl Lams
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org