You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Eric Jacobs <ej...@thomaspublishing.com> on 2009/09/09 16:28:25 UTC

[users@httpd] Downloaded java applet bypasses proxy

We were trying to add an extra layer of security in front of some financial 
apps with a reverse proxy (which required a login). It worked until we tried 
restricting access to financial apps only to proxy server. Turns out, after 
the initial connection, browsers downloaded applets which then tried to 
connect directly to financial servers. Is there a way (perhaps through 
mod_proxy_html) to rewrite the URL in the applet?

Eric Jacobs 




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Downloaded java applet bypasses proxy

Posted by Nick Kew <ni...@webthing.com>.

Eric Jacobs wrote:
> We were trying to add an extra layer of security in front of some financial 
> apps with a reverse proxy (which required a login). It worked until we tried 
> restricting access to financial apps only to proxy server. Turns out, after 
> the initial connection, browsers downloaded applets which then tried to 
> connect directly to financial servers. Is there a way (perhaps through 
> mod_proxy_html) to rewrite the URL in the applet?

mod_proxy_html won't touch applet contents.  You'd be in with a chance
if your applet works by fetching text contents in HTML, but that's
not very likely.  A similar filtering approach could deal with
XML or (subject to a small risk of false positives) plain text,
but not if the data are embedded in the applet.

I should read the applet's documentation: does it allow you
to set a base URL (to the proxy), or stick to relative URLs?
If not, talk to your developer.

Come to think of it, a java class could rewrite URLs in the same
way as mod_proxy_html.  You'd have to figure out whether that'll
work within the applet sandbox (most likely for signed applets),
but that looks like an approach you could consider (and maybe
google for an existing class) if you don't have the applet source.

Or a firefox plugin could easily do the job if restricting your
users is an option.

-- 
Nick Kew

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org