You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by André Warnier <aw...@ice-sa.com> on 2009/10/25 12:12:12 UTC

[users@httpd] mod_rewrite, mod_proxy and AAA

Hi.

environment : Apache 2.2, all platforms

In the doc. for RewriteRule it specifies :
Context:	server config, virtual host, directory, .htaccess

Similarly, the doc. for ProxyPass indicates :
Context:	server config, virtual host, directory

Does the above mean that they apply also to a <Location> section ?
Looking at http://httpd.apache.org/docs/2.2/sections.html
it seems so, but I'd like to be sure.


Underlying question :

I currently have the following directives in a <VirtualHost> :

	RewriteRule ^/cgi-bin/script.pl$ /getit [P]
	ProxyPass /getit http://another-host.com/getit
	ProxyPassReverse /getit http://another-host.com/getit

this works fine.

I would like however, that *before* the above proxying to the back-end 
takes place, such requests would be subject to AAA on the front-end 
server.  For this, I would define a <Location> as follows :

   RewriteRule ^/cgi-bin/script.pl$ /getit [L]
...
   <Location /getit>
     Authname something
     ... (other AAA-related directives)
     ProxyPass ^.* http://another-host.com/getit
     ProxyPassReverse / http://another-host.com/
   </Location>

Would that work ?
I am asking because this is a production server, with no real good test 
server available for testing this beforehand.

Thanks.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_rewrite, mod_proxy and AAA

Posted by André Warnier <aw...@ice-sa.com>.
Krist,

I tried to find examples in mod_rewrite and mod_proxy, but did not quite 
find anything that really fit my issue.
But this nicely fills in the blanks, and is exactly what I needed.

And about
 > "When used inside a <Location> section, the first argument is omitted
 > and the local directory is obtained from the <Location>."

Yep. I looked, but missed the last 2 phrases of that ProxyPass section..
Enhancement suggestion : <b>...</b>

Thanks, a lot.
André

Krist van Besien wrote:
> On Sun, Oct 25, 2009 at 12:12 PM, André Warnier <aw...@ice-sa.com> wrote:
> 
>> Similarly, the doc. for ProxyPass indicates :
>> Context:        server config, virtual host, directory
>>
>> Does the above mean that they apply also to a <Location> section ?
> 
> You can use Proxy and ProxyPass directives in a <Location> container,
> but the syntax changes. As the docs mention:
> 
> "When used inside a <Location> section, the first argument is omitted
> and the local directory is obtained from the <Location>."
> 
> So this:
> 
> ProxyPass /getit http://another-host.com/getit
>  ProxyPassReverse /getit http://another-host.com/getit
> 
> And this:
> 
> <Location /getit>
> ProxyPass http://another-host.com/getit
> ProxyPassReverse  http://another-host.com/getit
> </Location>
> 
> Are both equivalent...
> 
> 
>> I would like however, that *before* the above proxying to the back-end takes
>> place, such requests would be subject to AAA on the front-end server.  For
>> this, I would define a <Location> as follows :
> 
> If you want to use a <Location> block to protect proxied content you
> will need to use the url you're proxying too.
>  So this would have to be:
> 
> <Location http://another-host.com/getit>
> # AAA directives
> </Location>
> 
> So you can't really combine them with your Proxy directive...
> 
> In your case though I would use a <Proxy> block. Makes it easier for
> the next person reading your config to understand what is going on.
> 
> So then your config would become something like:
> 
> RewriteRule ^/cgi-bin/script.pl$ /getit [P]
> ProxyPass /getit http://another-host.com/getit
> ProxyPassReverse /getit http://another-host.com/getit
> 
> <Proxy http://another-host.com/getit>
> # Your AAA directives go here...
> </Proxy>
> 
> This aproach has the advantage that you are actually protecting the
> _target_ of your rewrite (which is what I asume you want), and not the
> original URL. So even if you proxy other URLs to your backend they
> will also require authentication.
> 
> BTW, you could combine your rewrite and your proxypass statements:
> 
> RewriteRule ^/cgi-bin/script.pl$ /getit http://another-host.com/getit [P]
> 
> HTH,
> 
> Krist
> 
> 
> 
> 
> 
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_rewrite, mod_proxy and AAA

Posted by Krist van Besien <kr...@gmail.com>.
On Sun, Oct 25, 2009 at 12:12 PM, André Warnier <aw...@ice-sa.com> wrote:

> Similarly, the doc. for ProxyPass indicates :
> Context:        server config, virtual host, directory
>
> Does the above mean that they apply also to a <Location> section ?

You can use Proxy and ProxyPass directives in a <Location> container,
but the syntax changes. As the docs mention:

"When used inside a <Location> section, the first argument is omitted
and the local directory is obtained from the <Location>."

So this:

ProxyPass /getit http://another-host.com/getit
 ProxyPassReverse /getit http://another-host.com/getit

And this:

<Location /getit>
ProxyPass http://another-host.com/getit
ProxyPassReverse  http://another-host.com/getit
</Location>

Are both equivalent...


> I would like however, that *before* the above proxying to the back-end takes
> place, such requests would be subject to AAA on the front-end server.  For
> this, I would define a <Location> as follows :

If you want to use a <Location> block to protect proxied content you
will need to use the url you're proxying too.
 So this would have to be:

<Location http://another-host.com/getit>
# AAA directives
</Location>

So you can't really combine them with your Proxy directive...

In your case though I would use a <Proxy> block. Makes it easier for
the next person reading your config to understand what is going on.

So then your config would become something like:

RewriteRule ^/cgi-bin/script.pl$ /getit [P]
ProxyPass /getit http://another-host.com/getit
ProxyPassReverse /getit http://another-host.com/getit

<Proxy http://another-host.com/getit>
# Your AAA directives go here...
</Proxy>

This aproach has the advantage that you are actually protecting the
_target_ of your rewrite (which is what I asume you want), and not the
original URL. So even if you proxy other URLs to your backend they
will also require authentication.

BTW, you could combine your rewrite and your proxypass statements:

RewriteRule ^/cgi-bin/script.pl$ /getit http://another-host.com/getit [P]

HTH,

Krist






-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_rewrite, mod_proxy and AAA

Posted by Eric Covener <co...@gmail.com>.
On Sun, Oct 25, 2009 at 7:12 AM, André Warnier <aw...@ice-sa.com> wrote:
> Hi.
>
> environment : Apache 2.2, all platforms
>
> In the doc. for RewriteRule it specifies :
> Context:        server config, virtual host, directory, .htaccess
>
> Similarly, the doc. for ProxyPass indicates :
> Context:        server config, virtual host, directory
>
> Does the above mean that they apply also to a <Location> section ?
> Looking at http://httpd.apache.org/docs/2.2/sections.html
> it seems so, but I'd like to be sure.
>
>
> Underlying question :
>
> I currently have the following directives in a <VirtualHost> :
>
>        RewriteRule ^/cgi-bin/script.pl$ /getit [P]

P flag intended, or PT?

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org