You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by gb1071nx <gb...@globallyboundless.com> on 2007/09/12 21:28:58 UTC
[users@httpd] Paranoia check regarding mod_proxy / mod_rewrite
I've just recently compiled and installed the mod_rewrite and mod_proxy
modules. My specific reason for doing so is that I wanted to use AJAX
calls between two internal (intranet) domains, but due to 'same origin'
policy, could not. Google told me that I can get around this by
proxying. All sorts of PHP examples abounded, but 1) I'm a java
programmer and 2) I don't want to write my own proxy code so 3) let's
just use mod_rewrite!
I've now got that all set up and working. My one domain successfully
makes AJAX calls to the second, all through mod_rewrite. But now I'm
wanting to make absolutely certain of something:
The *only* references I have to mod_proxy or mod_rewrite are the
LoadModule commands, and my one mod_rewrite section:
RewriteEngine On
RewriteRule ^/myproxy/(.*)/(.*)$ http://$1/foo/bar.jsp?x=$2 [P]
I see this commented-out section as well:
#<IfModule mod_proxy.c>
#ProxyRequests On
#
#<Proxy *>
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Proxy>
I'm just worried/wondering if my server is "secure", and that it's not
acting as an open proxy? Am I right in thinking that unless I
explicitly turn on ProxyRequests, that merely loading the module does
not cause it to become a proxy server?
Secondly, could I use the <Proxy *> control block to limit even the
reverse proxy to *only* accept requests from that single internal host?
Or have I effectively done this, by making my RewriteEngine and
RewriteRule directives within a virtual host block?
Thanks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Paranoia check regarding mod_proxy / mod_rewrite
Posted by Vincent Bray <no...@gmail.com>.
On 13/09/2007, gb1071nx <gb...@globallyboundless.com> wrote:
>
> I've just recently compiled and installed the mod_rewrite and mod_proxy
> modules. My specific reason for doing so is that I wanted to use AJAX
> calls between two internal (intranet) domains, but due to 'same origin'
> policy, could not. Google told me that I can get around this by
> proxying. All sorts of PHP examples abounded, but 1) I'm a java
> programmer and 2) I don't want to write my own proxy code so 3) let's
> just use mod_rewrite!
>
> I've now got that all set up and working. My one domain successfully
> makes AJAX calls to the second, all through mod_rewrite. But now I'm
> wanting to make absolutely certain of something:
>
> The *only* references I have to mod_proxy or mod_rewrite are the
> LoadModule commands, and my one mod_rewrite section:
Are you using apache 1.3? If not, you'll need mod_proxy_http loaded
too. If so, upgrade to 2.2 as the proxy module in 1.3 is obsolete and
missing several major features available in 2.x.
> RewriteEngine On
> RewriteRule ^/myproxy/(.*)/(.*)$ http://$1/foo/bar.jsp?x=$2 [P]
>
>
> I see this commented-out section as well:
>
> #<IfModule mod_proxy.c>
> #ProxyRequests On
> #
> #<Proxy *>
> # Order deny,allow
> # Deny from all
> # Allow from .example.com
> #</Proxy>
>
>
> I'm just worried/wondering if my server is "secure", and that it's not
> acting as an open proxy? Am I right in thinking that unless I
> explicitly turn on ProxyRequests, that merely loading the module does
> not cause it to become a proxy server?
You're correct that ProxyRequests defaults to off. However, your
rewrite rule has effectively created an open proxy, albeit one that
will always request /foo/bar.jsp?x=
> Secondly, could I use the <Proxy *> control block to limit even the
> reverse proxy to *only* accept requests from that single internal host?
> Or have I effectively done this, by making my RewriteEngine and
> RewriteRule directives within a virtual host block?
Yes and no. You can use a <Proxy block to restrict which host
addresses apache can make proxy requests to, and you can use <Location
to determine which clients can make requests to it.
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org