You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by David Sklar <da...@gmail.com> on 2008/01/09 00:10:31 UTC
mod_dav patch to force scheme/port on https->http proxying
I am having a similar problem to what's mentioned at
http://svn.haxx.se/users/archive-2005-03/1424.shtml -- namely when
exposing an HTTPS server that proxies DAV requests to a server running
mod_dav over HTTP, copy/move requests fail because the destination
sent by the client for the copy/move uses the external URL (with
https). When mod_dav compares that to the source URL in
dav_lookup_uri(), the scheme and port don't match and a 502 is
returned.
The attached patch attempts to remedy the problem by adding two
configuration directives, "DAVForcedScheme" and "DAVForcedPort". If
"DAVForcedScheme" is set then the uri that dav_lookup_uri() is asked
to lookup is modified to explicitly use the supplied scheme. Similar
deal w/r/t port if "DAVForcedPort" is set.
Setting "DAVForcedScheme http" and "DAVForcedPort 80" solve my problem
in a test setup with mod_proxy+mod_ssl running on port 443
reverse-proxying DAV requests over to mod_dav running on (a different
machine) on port 80.
Any comments on the patch would be appreciated -- it's wonderful, it's
a good solution but could be improved, it's a ridiculous way to solve
this problem, etc.
Thanks,
David
Re: mod_dav patch to force scheme/port on https->http proxying
Posted by David Sklar <da...@gmail.com>.
On Jan 9, 2008 2:00 AM, Sander Temme <sc...@apache.org> wrote:
>
> On Jan 8, 2008, at 3:10 PM, David Sklar wrote:
>
> > Any comments on the patch would be appreciated -- it's wonderful, it's
> > a good solution but could be improved, it's a ridiculous way to solve
> > this problem, etc.
>
> Doesn't setting the global directive:
>
> ServerName https://foo.bar:443
>
> already do what you need?
Indeed it does! Thanks for the tip.
David
Re: mod_dav patch to force scheme/port on https->http proxying
Posted by Plüm,
Rüdiger,
VF-Group <ru...@vodafone.com>.
> -----Ursprüngliche Nachricht-----
> Von: Sander Temme
> Gesendet: Mittwoch, 9. Januar 2008 08:01
> An: dev@httpd.apache.org
> Betreff: Re: mod_dav patch to force scheme/port on
> https->http proxying
>
>
>
> On Jan 8, 2008, at 3:10 PM, David Sklar wrote:
>
> > Any comments on the patch would be appreciated -- it's
> wonderful, it's
> > a good solution but could be improved, it's a ridiculous
> way to solve
> > this problem, etc.
>
> Doesn't setting the global directive:
>
> ServerName https://foo.bar:443
>
> already do what you need?
>
> I'd rather see a solution in terms of that directive (where mod_dav
> picks up the setting in core which is there specifically for the
> scenario you describe and is available through the
> ap_hook_http_scheme
> hook), or an extension to the ProxyPassReverse case which rewrites
> this particular repsonse part in addition to any Location: header it
> encounters.
I agree that a general solution is preferred. Changing headers like the
Location header of incoming requests is already possible via mod_headers,
but what makes things really nasty with WebDAV is the fact that you also
need to modify the body of the request. For responses you could use
mod_substitute to do this, but mod_substitute is only an output filter
not an input filter.
Regards
Rüdiger
Re: mod_dav patch to force scheme/port on https->http proxying
Posted by Sander Temme <sc...@apache.org>.
On Jan 8, 2008, at 3:10 PM, David Sklar wrote:
> Any comments on the patch would be appreciated -- it's wonderful, it's
> a good solution but could be improved, it's a ridiculous way to solve
> this problem, etc.
Doesn't setting the global directive:
ServerName https://foo.bar:443
already do what you need?
I'd rather see a solution in terms of that directive (where mod_dav
picks up the setting in core which is there specifically for the
scenario you describe and is available through the ap_hook_http_scheme
hook), or an extension to the ProxyPassReverse case which rewrites
this particular repsonse part in addition to any Location: header it
encounters.
S.
--
Sander Temme
sctemme@apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
Re: mod_dav patch to force scheme/port on https->http proxying
Posted by Paul Querna <ch...@force-elite.com>.
Henrik Nordström wrote:
> tis 2008-01-08 klockan 18:10 -0500 skrev David Sklar:
>
>> The attached patch attempts to remedy the problem by adding two
>> configuration directives, "DAVForcedScheme" and "DAVForcedPort". If
>> "DAVForcedScheme" is set then the uri that dav_lookup_uri() is asked
>> to lookup is modified to explicitly use the supplied scheme. Similar
>> deal w/r/t port if "DAVForcedPort" is set.
>
> Shouldn't these really be global and changing the internal view of the
> request rather than overriding things within mod_dav? The same problem
> applies to PHP, CGI, intenally generated redirects, etc, etc.
+1, I would like soemthing like this too.
-Paul
Re: mod_dav patch to force scheme/port on https->http proxying
Posted by Henrik Nordström <he...@henriknordstrom.net>.
tis 2008-01-08 klockan 18:10 -0500 skrev David Sklar:
> The attached patch attempts to remedy the problem by adding two
> configuration directives, "DAVForcedScheme" and "DAVForcedPort". If
> "DAVForcedScheme" is set then the uri that dav_lookup_uri() is asked
> to lookup is modified to explicitly use the supplied scheme. Similar
> deal w/r/t port if "DAVForcedPort" is set.
Shouldn't these really be global and changing the internal view of the
request rather than overriding things within mod_dav? The same problem
applies to PHP, CGI, intenally generated redirects, etc, etc.
Regards
Henrik