You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by jv r <jv...@gmail.com> on 2013/08/22 16:29:36 UTC
[users@httpd] Control access to files with proxies
I'm using a proxy to go to php file, to be sure the request comes from a
script in the server.
At /var/www/vhosts/domain.com/httpdocs (the document root of this virtual
host)
In the .htaccess file:
RewriteCond %{SCRIPT_FILENAME} -l
RewriteCond %{REQUEST_URI} tmp$
RewriteRule .* http://domain.com/proxy/tmpr.php [P]
Symlink - the symlink goes to another file but is not important because a
proxy is used later to another file
lrwxrwxrwx. 1 root root 54 ago 14 21:11 tmp -> /var/www/vhosts/
domain.com/httpdocs/proxy/tmp.php
At /var/www/vhosts/domain.com/httpdocs/proxy (Directory have got
AllowOverride at .conf file)
There is another .htacces file
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.12
RewriteRule .* - [F]
RewriteRule ^directory/(.*)$ ajp://localhost:8009/directory/$1 [P]
192.168.1.12 is a local ipv4 address where apache server is located
The test is made from another local ip address 192.168.1.10
When I browse domain.com/tmp, a proxy request is made to
domain.com/proxy/tmpr.php correctly
If I try to browse directly to domain.com/proxy/tmpr.php I'm being
redirected to Forbidden 403 correctly
At tmpr.php file:
<?php
foreach($_SERVER as $key_name => $key_value) {
print $key_name . " = " . $key_value . "<br>";
}
?>
<applet id='applet' codebase="/proxy/directory/"
code='applet.applettest' archive='./sappletTest.jar' width=1 height=1>
</applet>
The applet is a signed jar file, and it works without these two lines from
any ip:
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.12
RewriteRule .* - [F]
And browsing domain.com/proxy/tmpr.php directly is showing a text message
in the init() method.
And the log shows the OK for this proxy, in the log.
RewriteRule ^directory/(.*)$ ajp://localhost:8009/directory/$1 [P]
When browsing domain.com/tmp proxy is activated
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (1) [perdir /var/www/vhosts/
domain.com/httpdocs/] go-ahead with proxy request proxy:
http://domain.com/proxy/tmpr.php [OK]
I'm accessing to tmpr.php like REMOTE ADDR 192.168.1.12
192.168.1.12 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (4) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.12'
pattern='!^192\\.168\\.1\\.12' => not-matched
The php code executed at tmpr.php
HTTP_HOST = domain.com
HTTP_ACCEPT = text/html, application/xhtml+xml, */*
HTTP_ACCEPT_LANGUAGE = es-ES
HTTP_USER_AGENT = Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1;
WOW64; Trident/6.0)
HTTP_ACCEPT_ENCODING = gzip, deflate
HTTP_DNT = 1
HTTP_X_FORWARDED_FOR = 192.168.1.10
HTTP_X_FORWARDED_HOST = domain.com
HTTP_X_FORWARDED_SERVER = domain.com
HTTP_CONNECTION = Keep-Alive
PATH = /sbin:/usr/sbin:/bin:/usr/bin
SERVER_SIGNATURE =
Apache/2.2.15 (CentOS) Server at domain.com Port 80
SERVER_SOFTWARE = Apache/2.2.15 (CentOS)
SERVER_NAME = domain.com
SERVER_ADDR = 192.168.1.12
SERVER_PORT = 80
REMOTE_ADDR = 192.168.1.12
If I access to the domain.com/proxy/tmpr.php without these two Rewrite lines
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.12
RewriteRule .* - [F]
REMOTE_ADDR = 192.168.1.10 is showed.
DOCUMENT_ROOT = /var/www/vhosts/domain.com/httpdocs
SERVER_ADMIN = admin@domain.com
SCRIPT_FILENAME = /var/www/vhosts/domain.com/httpdocs/proxy/tmpr.php
REMOTE_PORT = 35750
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.1
REQUEST_METHOD = GET
QUERY_STRING =
REQUEST_URI = /proxy/tmpr.php
SCRIPT_NAME = /proxy/tmpr.php
PHP_SELF = /proxy/tmpr.php
REQUEST_TIME = 1377172173
But the problem is the next part of the code, the applet tag is executed
without the proxy in the same request.
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (4) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10'
pattern='!^192\\.168\\.1\\.12' => matched
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] add path info postfix: /var/www/vhosts/
domain.com/httpdocs/proxy/directory -> /var/www/vhosts/
domain.com/httpdocs/proxy/directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/
domain.com/httpdocs/proxy/directory/sappletTest.jar ->
directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] applying pattern '.*' to uri
'directory/sappletTest.jar'
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (4) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10'
pattern='!^192\\.168\\.1\\.12' => matched
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (2) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] forcing responsecode 403 for /var/www/vhosts/
domain.com/httpdocs/proxy/directory
If tmpr.php is accessed, through proxy request, an unique request.
Why part of code is not executed through proxy, if the code of the file is
obtained through this proxy.
The worst thing is two days ago this was working correctly, I had tested
few times.
Today I have got a pseudo proxy.
You can see the log below, and proxies behavior. (Ignore the favicon.icon
logs)
RewriteLog accesing domain.com/tmp (an unique request)
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/] strip per-dir prefix: /var/www/vhosts/
domain.com/httpdocs/tmp -> tmp
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/] applying pattern '.*' to uri 'tmp'
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (4) [perdir /var/www/vhosts/
domain.com/httpdocs/] RewriteCond: input='/var/www/vhosts/
domain.com/httpdocs/tmp' pattern='-l' => matched
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (4) [perdir /var/www/vhosts/
domain.com/httpdocs/] RewriteCond: input='/tmp' pattern='tmp$' => matched
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (2) [perdir /var/www/vhosts/
domain.com/httpdocs/] rewrite 'tmp' -> 'http://domain.com/proxy/tmpr.php'
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (2) [perdir /var/www/vhosts/
domain.com/httpdocs/] escaped URI in per-dir context for proxy,
http://domain.com/proxy/tmpr.php -> http://domain.com/proxy/tmpr.php
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (2) [perdir /var/www/vhosts/
domain.com/httpdocs/] forcing proxy-throughput with
http://domain.com/proxy/tmpr.php
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (1) [perdir /var/www/vhosts/
domain.com/httpdocs/] go-ahead with proxy request proxy:
http://domain.com/proxy/tmpr.php [OK]
192.168.1.12 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/
domain.com/httpdocs/proxy/tmpr.php -> tmpr.php
192.168.1.12 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] applying pattern '.*' to uri 'tmpr.php'
192.168.1.12 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (4) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.12'
pattern='!^192\\.168\\.1\\.12' => not-matched
192.168.1.12 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/
domain.com/httpdocs/proxy/tmpr.php -> tmpr.php
192.168.1.12 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] applying pattern '^directory/(.*)$' to uri
'tmpr.php'
192.168.1.12 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (1) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] pass through /var/www/vhosts/
domain.com/httpdocs/proxy/tmpr.php
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/] strip per-dir prefix: /var/www/vhosts/
domain.com/httpdocs/favicon.ico -> favicon.ico
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/] applying pattern '.*' to uri 'favicon.ico'
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (4) [perdir /var/www/vhosts/
domain.com/httpdocs/] RewriteCond: input='/var/www/vhosts/
domain.com/httpdocs/favicon.ico' pattern='-l' => not-matched
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/] strip per-dir prefix: /var/www/vhosts/
domain.com/httpdocs/favicon.ico -> favicon.ico
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/] applying pattern '.*' to uri 'favicon.ico'
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (4) [perdir /var/www/vhosts/
domain.com/httpdocs/] RewriteCond: input='/favicon.ico' pattern='\\..+$' =>
matched
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (4) [perdir /var/www/vhosts/
domain.com/httpdocs/] RewriteCond: input='/favicon.ico' pattern='!\\.html$'
=> matched
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [
domain.com/sid#1edcb20][rid#2159348/initial] (1) [perdir /var/www/vhosts/
domain.com/httpdocs/] pass through /var/www/vhosts/
domain.com/httpdocs/favicon.ico
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] add path info postfix: /var/www/vhosts/
domain.com/httpdocs/proxy/directory -> /var/www/vhosts/
domain.com/httpdocs/proxy/directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/
domain.com/httpdocs/proxy/directory/sappletTest.jar ->
directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] applying pattern '.*' to uri
'directory/sappletTest.jar'
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (4) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10'
pattern='!^192\\.168\\.1\\.12' => matched
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (2) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] forcing responsecode 403 for /var/www/vhosts/
domain.com/httpdocs/proxy/directory
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] add path info postfix: /var/www/vhosts/
domain.com/httpdocs/proxy/directory -> /var/www/vhosts/
domain.com/httpdocs/proxy/directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/
domain.com/httpdocs/proxy/directory/sappletTest.jar ->
directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] applying pattern '.*' to uri
'directory/sappletTest.jar'
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (4) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10'
pattern='!^192\\.168\\.1\\.12' => matched
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (2) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] forcing responsecode 403 for /var/www/vhosts/
domain.com/httpdocs/proxy/directory
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] add path info postfix: /var/www/vhosts/
domain.com/httpdocs/proxy/directory -> /var/www/vhosts/
domain.com/httpdocs/proxy/directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/
domain.com/httpdocs/proxy/directory/sappletTest.jar ->
directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] applying pattern '.*' to uri
'directory/sappletTest.jar'
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (4) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10'
pattern='!^192\\.168\\.1\\.12' => matched
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215b350/initial] (2) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] forcing responsecode 403 for /var/www/vhosts/
domain.com/httpdocs/proxy/directory
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] add path info postfix: /var/www/vhosts/
domain.com/httpdocs/proxy/directory -> /var/www/vhosts/
domain.com/httpdocs/proxy/directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/
domain.com/httpdocs/proxy/directory/sappletTest.jar ->
directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] applying pattern '.*' to uri
'directory/sappletTest.jar'
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (4) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10'
pattern='!^192\\.168\\.1\\.12' => matched
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (2) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] forcing responsecode 403 for /var/www/vhosts/
domain.com/httpdocs/proxy/directory
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] add path info postfix: /var/www/vhosts/
domain.com/httpdocs/proxy/directory -> /var/www/vhosts/
domain.com/httpdocs/proxy/directory/applet/appletTest.class
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/
domain.com/httpdocs/proxy/directory/applet/appletTest.class ->
directory/applet/appletTest.class
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] applying pattern '.*' to uri
'directory/applet/appletTest.class'
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (4) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10'
pattern='!^192\\.168\\.1\\.12' => matched
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (2) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] forcing responsecode 403 for /var/www/vhosts/
domain.com/httpdocs/proxy/directory
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] add path info postfix: /var/www/vhosts/
domain.com/httpdocs/proxy/directory -> /var/www/vhosts/
domain.com/httpdocs/proxy/directory/applet/appletTest.class
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/
domain.com/httpdocs/proxy/directory/applet/appletTest.class ->
directory/applet/appletTest.class
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] applying pattern '.*' to uri
'directory/applet/appletTest.class'
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (4) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10'
pattern='!^192\\.168\\.1\\.12' => matched
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [
domain.com/sid#1edcb20][rid#215d358/initial] (2) [perdir /var/www/vhosts/
domain.com/httpdocs/proxy/] forcing responsecode 403 for /var/www/vhosts/
domain.com/httpdocs/proxy/directory
Really I don't understand these two behaviors of the server and the proxy
Today I have executed all the code, tomorrow only part of the code.
Any suggestion?
Thanks.
Regards.