You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ian Jeffray <ia...@jeffray.co.uk> on 2004/10/13 15:43:33 UTC
[users@httpd] Proxy on multiple ports - 2nd port has less facilities?
Hi all,
I sincerely hope this isn't a configuration question... I've
read as much as I can, and believe this may be a bug, so:
I've been using apache as a proxy for some time now, and I
also use the same apache to host a number of websites.
For various reasons, which are not important here, it is
vital that people using the proxy can get directly to those
hosted websites VIA the proxy.
This basically "feels" like apache is talking to itself, to
the user. Great. It works just fine -- on port 80.
For other amusing reasons which are not important here, I also
want the proxy to listen on a 2nd port. I do this by adding
a "Listen" directive. It works just fine.
EXCEPT: Requests to the proxy on this 2nd port cannot get
pages from the websites hosted by apache itself. Very odd.
The requests just get forwarded out of the system, which
then cannot find the server in question (it basically tries
to request out of our firewall for something which is inside it
and should have been handled, so gets blocked there, in any
case, I don't want requests going out of the firewall, router,
then back in it... that's just silly).
Has anyone else come across this issue with the proxy server
or have any ideas what may be causing it?
I'm using Apache/1.3.31 (Debian GNU/Linux) from debian 'testing'
distribution.
TIA
Ian Jeffray
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Proxy on multiple ports - 2nd port has less facilities?
Posted by Ian Jeffray <ia...@jeffray.co.uk>.
Alexander Stoll wrote:
> Ian Jeffray schrieb:
>
>> Yes, but that's really not the point, the request should never go
>> anywhere near the FW/NAT.
>>
>> Clients -> [Proxy|Server] -> Firewall -> Internet
>>
>> The clients using the proxy, to get to "Server" should never end up
>> having "Proxy" send a packet to "Firewall"... because it should all
>> be handled inside apache, and IS handled, for proxy requests on port
>> 80.
>
>
> ok, some fog fades away... but still not sure to fully understand your
> config...
>
> When you telnet to port 80 to server component on internal IP the page
> is normaly served...
Well, yes, but in this instance, I'm making a proxy request there.
That's been my default, working just fine, proxy and server config.
> But the proxy component seems not to "know" about the services on port
> 80, it acts like a external proxy application resolving and fetching the
> requested site via official IP provided via DNS.
It _does_ know about it *SO LONG AS* the proxy request is made on
port 80, not another port.
To be clear: the proxy works perfectly when talking to it on port 80.
> Please post details from the proxy section of the config. Someone with
> good knowledge and experience of reverse proxy szenarios should be able
> to answer if this could be worked around via config directives.
Port 80
Listen 3128
Listen 80
ProxyRequests on
ProxyDomain .internal
NoProxy .internal 10.0.0.0/8
CacheRoot /var/spool/apache
CacheSize 20000
CacheGcInterval 0.1
CacheMaxExpire 24
CacheLastModifiedFactor 0.1
ProxyIOBufferSize 131072
<Directory proxy:*>
Order deny,allow
Deny from all
Allow from 10.0.0.0/255.0.0.0
</Directory>
Ian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Proxy on multiple ports - 2nd port has less facilities?
Posted by Alexander Stoll <te...@gmx.de>.
Ian Jeffray schrieb:
> Yes, but that's really not the point, the request should never go
> anywhere near the FW/NAT.
>
> Clients -> [Proxy|Server] -> Firewall -> Internet
>
> The clients using the proxy, to get to "Server" should never end up
> having "Proxy" send a packet to "Firewall"... because it should all
> be handled inside apache, and IS handled, for proxy requests on port
> 80.
ok, some fog fades away... but still not sure to fully understand your
config...
When you telnet to port 80 to server component on internal IP the page
is normaly served...
But the proxy component seems not to "know" about the services on port
80, it acts like a external proxy application resolving and fetching the
requested site via official IP provided via DNS.
Please post details from the proxy section of the config. Someone with
good knowledge and experience of reverse proxy szenarios should be able
to answer if this could be worked around via config directives.
A quick shot: Fill in your www domain in the local hosts file and test
resolving on the server maschine to the private IP. Maybe this could be
sufficient, try it and you loose nothing if it doesen´t work.
regards, AS
Re: [users@httpd] Proxy on multiple ports - 2nd port has less facilities?
Posted by Ian Jeffray <ia...@jeffray.co.uk>.
Alexander Stoll wrote:
> Ian Jeffray schrieb:
>
>> EXCEPT: Requests to the proxy on this 2nd port cannot get
>> pages from the websites hosted by apache itself. Very odd.
>> The requests just get forwarded out of the system, which
>> then cannot find the server in question (it basically tries
>> to request out of our firewall for something which is inside it
>> and should have been handled, so gets blocked there, in any
>> case, I don't want requests going out of the firewall, router,
>> then back in it... that's just silly).
>>
>> Has anyone else come across this issue with the proxy server
>> or have any ideas what may be causing it?
>
>
> without further description of your topologie, this sounds like your
> proxy tries to fetch a page from the site that resolves to an official
> ip, your system only knows the default route via FW and it is routing
> the request back "in"...
Yes, that does sound like what it's doing on non-port-80-proxy-requests.
That was my original question. The request should never get as far as
the firewall machine; because the name matches the site that apache
itself is hosting, it should serve it directly.
This *DOES* work when talking to the apache proxy on port 80 but not
when talking to it via another "Listen"-assigned port.
> Is your FW performing any NAT for the unproxied HTTP-Host?
Yes, but that's really not the point, the request should never go
anywhere near the FW/NAT.
Clients -> [Proxy|Server] -> Firewall -> Internet
The clients using the proxy, to get to "Server" should never end up
having "Proxy" send a packet to "Firewall"... because it should all
be handled inside apache, and IS handled, for proxy requests on port
80.
Compare:
==================
ian@puffin $ telnet proxy 80
Trying 10.0.0.253...
Connected to proxy.
Escape character is '^]'.
GET http://www.mydomain.co.uk/ HTTP/1.0
HTTP/1.1 200 OK
===================
<web page from www.mydomain.co.uk follows as expected>
===================
ian@puffin $ telnet proxy 3128
Trying 10.0.0.253...
Connected to proxy.
Escape character is '^]'.
GET http://www.mydomain.co.uk/ HTTP/1.0
HTTP/1.1 401 Unauthorized
Date: Wed, 13 Oct 2004 17:07:22 GMT
Server: ZyXEL-RomPager/3.02
====================
<http request blocked at firewall as they should never get that far>
====================
Apache listens on both port 80 and 3128.
My question could perhaps be put more simply; why do proxy requests
to any port other than the "Port" assigned port appear to not go
through the same internal ruleset?
Ian.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Proxy on multiple ports - 2nd port has less facilities?
Posted by Alexander Stoll <te...@gmx.de>.
Ian Jeffray schrieb:
> EXCEPT: Requests to the proxy on this 2nd port cannot get
> pages from the websites hosted by apache itself. Very odd.
> The requests just get forwarded out of the system, which
> then cannot find the server in question (it basically tries
> to request out of our firewall for something which is inside it
> and should have been handled, so gets blocked there, in any
> case, I don't want requests going out of the firewall, router,
> then back in it... that's just silly).
>
> Has anyone else come across this issue with the proxy server
> or have any ideas what may be causing it?
without further description of your topologie, this sounds like your
proxy tries to fetch a page from the site that resolves to an official
ip, your system only knows the default route via FW and it is routing
the request back "in"...
Is your FW performing any NAT for the unproxied HTTP-Host?
If so, you have two options:
- Rewrite the request to the internal IP/Port
- ensure that the the proxy resolves to the internal IP for requests
e. g. via local HOSTS file or local DNS Cache...
regards, AS