You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modproxy-dev@apache.org by "Weiss, Ken" <Ke...@schwab.com> on 2003/03/20 21:46:45 UTC
problem with cookie domains and mod_proxy, Apache 1.3.27
I have configured Apache 1.3.27 to operate as a reverse proxy. My proxy runs
on proxybox.schwab.com. I have a content server sitting behind it,
content.schwab.com. I can access the following URL, and it works perfectly:
http://proxybox.schwab.com/content <http://proxybox.schwab.com/content>
I get the content that is sitting on content.schwab.com. So all the reverse
proxy stuff is working fine.
Here's my problem. I use a cookie to authenticate people to
proxybox.schwab.com. This cookie has a domain of .proxybox.schwab.com, so it
should only be presented to that specific host. Web servers running on any
other host should not be able to see this cookie. But, I can see the cookie
on content.schwab.com.
It appears that mod_proxy passes all headers, including cookies with very
restrictive domains, to the content servers. Even though the cookie has a
domain set that should prevent it from going to any other servers, it still
gets passed along.
Is there any way to configure mod_proxy so it will stop doing this? Is there
any way to modify mod_proxy to filter a specific cookie from the header
before passing the request to the content server?
--Ken
---------------------------------------------------------------
Ken Weiss ken.weiss@schwab.com
Directory Services 415-667-1424 (voice)
Charles Schwab & Co. 415-786-1545 (cell)
SF211MN-10-353 415-667-1797 (fax)
101 Montgomery St.
San Francisco, CA 94104
WARNING: All email sent to this address will be received by the Charles
Schwab & Co., Inc. corporate email system and is subject to archival and
review by someone other than the recipient.
Re: problem with cookie domains and mod_proxy, Apache 1.3.27
Posted by Ian Holsman <Ia...@cnet.com>.
I don't think 2.0 has any specific options for not passing specific cookies through.
I'm not sure how easy it would be. Looking at a tcpdump of port80 traffic, it doesn't
look like the request passes the domain back.
I guess the only way would be for the site admin to explitly block a cookie, but I don't belive
that option exists at the moment, and I can't think of a workaround via rewrite.
Sorry Ken.
ps.. if this is really really big pain for you, we could add a directive to mask cookies
but It would probably end up in the standard 2.0 distribution, not 1.3
--ian
Mathias Herberts wrote:
> Humm second thought, we are not running the same config, no auth is done
>
> on our reverse proxies, and I personnaly think this is not the place for
>
> auth as reverse proxies should really be transparent.
>
> I guess the actual mod_proxy code will not enable you to fix your
> problem. Maybe Apache 2.0 has more features for tweaking headers.
>
> Regards,
>
> Mathias.
>
> Weiss, Ken wrote:
>
>>I have configured Apache 1.3.27 to operate as a reverse proxy. My
>
> proxy runs
>
>>on proxybox.schwab.com. I have a content server sitting behind it,
>>content.schwab.com. I can access the following URL, and it works
>
> perfectly:
>
>>
>>
>>http://proxybox.schwab.com/content
>
> <http://proxybox.schwab.com/content>
>
>>
>>
>>I get the content that is sitting on content.schwab.com. So all the
>
> reverse
>
>>proxy stuff is working fine.
>>
>>
>>
>>Here's my problem. I use a cookie to authenticate people to
>>proxybox.schwab.com. This cookie has a domain of .proxybox.schwab.com,
>
> so it
>
>>should only be presented to that specific host. Web servers running on
>
> any
>
>>other host should not be able to see this cookie. But, I can see the
>
> cookie
>
>>on content.schwab.com.
>>
>>
>>
>>It appears that mod_proxy passes all headers, including cookies with
>
> very
>
>>restrictive domains, to the content servers. Even though the cookie
>
> has a
>
>>domain set that should prevent it from going to any other servers, it
>
> still
>
>>gets passed along.
>>
>>
>>
>>Is there any way to configure mod_proxy so it will stop doing this? Is
>
> there
>
>>any way to modify mod_proxy to filter a specific cookie from the
>
> header
>
>>before passing the request to the content server?
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>--Ken
>>
>>
>>
>>---------------------------------------------------------------
>>
>>Ken Weiss ken.weiss@schwab.com
>>
>>Directory Services 415-667-1424 (voice)
>>
>>Charles Schwab & Co. 415-786-1545 (cell)
>>
>>SF211MN-10-353 415-667-1797 (fax)
>>
>>101 Montgomery St.
>>
>>San Francisco, CA 94104
>>
>>
>>
>>WARNING: All email sent to this address will be received by the
>
> Charles
>
>>Schwab & Co., Inc. corporate email system and is subject to archival
>
> and
>
>>review by someone other than the recipient.
>>
>>
>>
>>
>
>
Re: problem with cookie domains and mod_proxy, Apache 1.3.27
Posted by Mathias Herberts <Ma...@gicm.fr>.
Humm second thought, we are not running the same config, no auth is done
on our reverse proxies, and I personnaly think this is not the place for
auth as reverse proxies should really be transparent.
I guess the actual mod_proxy code will not enable you to fix your
problem. Maybe Apache 2.0 has more features for tweaking headers.
Regards,
Mathias.
Weiss, Ken wrote:
> I have configured Apache 1.3.27 to operate as a reverse proxy. My proxy runs
> on proxybox.schwab.com. I have a content server sitting behind it,
> content.schwab.com. I can access the following URL, and it works perfectly:
>
>
>
> http://proxybox.schwab.com/content <http://proxybox.schwab.com/content>
>
>
>
> I get the content that is sitting on content.schwab.com. So all the reverse
> proxy stuff is working fine.
>
>
>
> Here's my problem. I use a cookie to authenticate people to
> proxybox.schwab.com. This cookie has a domain of .proxybox.schwab.com, so it
> should only be presented to that specific host. Web servers running on any
> other host should not be able to see this cookie. But, I can see the cookie
> on content.schwab.com.
>
>
>
> It appears that mod_proxy passes all headers, including cookies with very
> restrictive domains, to the content servers. Even though the cookie has a
> domain set that should prevent it from going to any other servers, it still
> gets passed along.
>
>
>
> Is there any way to configure mod_proxy so it will stop doing this? Is there
> any way to modify mod_proxy to filter a specific cookie from the header
> before passing the request to the content server?
>
>
>
>
>
>
>
>
>
> --Ken
>
>
>
> ---------------------------------------------------------------
>
> Ken Weiss ken.weiss@schwab.com
>
> Directory Services 415-667-1424 (voice)
>
> Charles Schwab & Co. 415-786-1545 (cell)
>
> SF211MN-10-353 415-667-1797 (fax)
>
> 101 Montgomery St.
>
> San Francisco, CA 94104
>
>
>
> WARNING: All email sent to this address will be received by the Charles
> Schwab & Co., Inc. corporate email system and is subject to archival and
> review by someone other than the recipient.
>
>
>
>
--
-- Informatique du Credit Mutuel ---- Reseaux et Systemes Distribues
-- 32 rue Mirabeau -- Le Relecq-Kerhuon -- 29808 Brest Cedex 9, FRANCE
-- Tel +33298004653 - Fax +33298284005 - Mail Mathias.Herberts@gicm.fr
-- Key Fingerprint: 8778 D2FD 3B4A 6B33 10AB F503 63D0 ADAE 9112 03E4