You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modproxy-dev@apache.org by "Weiss, Ken" <Ke...@schwab.com> on 2003/03/20 21:46:45 UTC

problem with cookie domains and mod_proxy, Apache 1.3.27

I have configured Apache 1.3.27 to operate as a reverse proxy. My proxy runs
on proxybox.schwab.com. I have a content server sitting behind it,
content.schwab.com. I can access the following URL, and it works perfectly:

 

http://proxybox.schwab.com/content <http://proxybox.schwab.com/content> 

 

I get the content that is sitting on content.schwab.com. So all the reverse
proxy stuff is working fine.

 

Here's my problem. I use a cookie to authenticate people to
proxybox.schwab.com. This cookie has a domain of .proxybox.schwab.com, so it
should only be presented to that specific host. Web servers running on any
other host should not be able to see this cookie. But, I can see the cookie
on content.schwab.com.

 

It appears that mod_proxy passes all headers, including cookies with very
restrictive domains, to the content servers. Even though the cookie has a
domain set that should prevent it from going to any other servers, it still
gets passed along.

 

Is there any way to configure mod_proxy so it will stop doing this? Is there
any way to modify mod_proxy to filter a specific cookie from the header
before passing the request to the content server?

                            

 

 

 

--Ken

 

---------------------------------------------------------------

Ken Weiss                                  ken.weiss@schwab.com

Directory Services                         415-667-1424 (voice)

Charles Schwab & Co.                        415-786-1545 (cell)

SF211MN-10-353                               415-667-1797 (fax)

101 Montgomery St.           

San Francisco, CA 94104

 

WARNING:  All email sent to this address will be received by the Charles
Schwab & Co., Inc. corporate email system and is subject to archival and
review by someone other than the recipient.

Re: problem with cookie domains and mod_proxy, Apache 1.3.27

Posted by Ian Holsman <Ia...@cnet.com>.

I don't think 2.0 has any specific options for not passing specific cookies through.
I'm not sure how easy it would be. Looking at a tcpdump of port80 traffic, it doesn't
look like the request passes the domain back.

I guess the only way would be for the site admin to explitly block a cookie,  but I don't belive 
that option exists at the moment, and I can't think of a workaround via rewrite.

Sorry Ken.

ps.. if this is really really big pain for you, we could add a directive to mask cookies
but It would probably end up in the standard 2.0 distribution, not 1.3

--ian


Mathias Herberts wrote:
> Humm second thought, we are not running the same config, no auth is done
> 
> on our reverse proxies, and I personnaly think this is not the place for
> 
>   auth as reverse proxies should really be transparent.
> 
> I guess the actual mod_proxy code will not enable you to fix your 
> problem. Maybe Apache 2.0 has more features for tweaking headers.
> 
> Regards,
> 
> Mathias.
> 
> Weiss, Ken wrote:
> 
>>I have configured Apache 1.3.27 to operate as a reverse proxy. My
> 
> proxy runs
> 
>>on proxybox.schwab.com. I have a content server sitting behind it,
>>content.schwab.com. I can access the following URL, and it works
> 
> perfectly:
> 
>> 
>>
>>http://proxybox.schwab.com/content
> 
> <http://proxybox.schwab.com/content> 
> 
>> 
>>
>>I get the content that is sitting on content.schwab.com. So all the
> 
> reverse
> 
>>proxy stuff is working fine.
>>
>> 
>>
>>Here's my problem. I use a cookie to authenticate people to
>>proxybox.schwab.com. This cookie has a domain of .proxybox.schwab.com,
> 
> so it
> 
>>should only be presented to that specific host. Web servers running on
> 
> any
> 
>>other host should not be able to see this cookie. But, I can see the
> 
> cookie
> 
>>on content.schwab.com.
>>
>> 
>>
>>It appears that mod_proxy passes all headers, including cookies with
> 
> very
> 
>>restrictive domains, to the content servers. Even though the cookie
> 
> has a
> 
>>domain set that should prevent it from going to any other servers, it
> 
> still
> 
>>gets passed along.
>>
>> 
>>
>>Is there any way to configure mod_proxy so it will stop doing this? Is
> 
> there
> 
>>any way to modify mod_proxy to filter a specific cookie from the
> 
> header
> 
>>before passing the request to the content server?
>>
>>                            
>>
>> 
>>
>> 
>>
>> 
>>
>>--Ken
>>
>> 
>>
>>---------------------------------------------------------------
>>
>>Ken Weiss                                  ken.weiss@schwab.com
>>
>>Directory Services                         415-667-1424 (voice)
>>
>>Charles Schwab & Co.                        415-786-1545 (cell)
>>
>>SF211MN-10-353                               415-667-1797 (fax)
>>
>>101 Montgomery St.           
>>
>>San Francisco, CA 94104
>>
>> 
>>
>>WARNING:  All email sent to this address will be received by the
> 
> Charles
> 
>>Schwab & Co., Inc. corporate email system and is subject to archival
> 
> and
> 
>>review by someone other than the recipient.
>>
>> 
>>
>>
> 
>

Re: problem with cookie domains and mod_proxy, Apache 1.3.27

Posted by Mathias Herberts <Ma...@gicm.fr>.

Humm second thought, we are not running the same config, no auth is done 
on our reverse proxies, and I personnaly think this is not the place for 
  auth as reverse proxies should really be transparent.

I guess the actual mod_proxy code will not enable you to fix your 
problem. Maybe Apache 2.0 has more features for tweaking headers.

Regards,

Mathias.

Weiss, Ken wrote:
> I have configured Apache 1.3.27 to operate as a reverse proxy. My proxy runs
> on proxybox.schwab.com. I have a content server sitting behind it,
> content.schwab.com. I can access the following URL, and it works perfectly:
> 
>  
> 
> http://proxybox.schwab.com/content <http://proxybox.schwab.com/content> 
> 
>  
> 
> I get the content that is sitting on content.schwab.com. So all the reverse
> proxy stuff is working fine.
> 
>  
> 
> Here's my problem. I use a cookie to authenticate people to
> proxybox.schwab.com. This cookie has a domain of .proxybox.schwab.com, so it
> should only be presented to that specific host. Web servers running on any
> other host should not be able to see this cookie. But, I can see the cookie
> on content.schwab.com.
> 
>  
> 
> It appears that mod_proxy passes all headers, including cookies with very
> restrictive domains, to the content servers. Even though the cookie has a
> domain set that should prevent it from going to any other servers, it still
> gets passed along.
> 
>  
> 
> Is there any way to configure mod_proxy so it will stop doing this? Is there
> any way to modify mod_proxy to filter a specific cookie from the header
> before passing the request to the content server?
> 
>                             
> 
>  
> 
>  
> 
>  
> 
> --Ken
> 
>  
> 
> ---------------------------------------------------------------
> 
> Ken Weiss                                  ken.weiss@schwab.com
> 
> Directory Services                         415-667-1424 (voice)
> 
> Charles Schwab & Co.                        415-786-1545 (cell)
> 
> SF211MN-10-353                               415-667-1797 (fax)
> 
> 101 Montgomery St.           
> 
> San Francisco, CA 94104
> 
>  
> 
> WARNING:  All email sent to this address will be received by the Charles
> Schwab & Co., Inc. corporate email system and is subject to archival and
> review by someone other than the recipient.
> 
>  
> 
> 

-- 
--  Informatique du Credit Mutuel  ----  Reseaux et Systemes Distribues
--  32 rue Mirabeau -- Le Relecq-Kerhuon -- 29808 Brest Cedex 9, FRANCE
--  Tel +33298004653 - Fax +33298284005 - Mail Mathias.Herberts@gicm.fr
--  Key Fingerprint: 8778 D2FD 3B4A 6B33 10AB  F503 63D0 ADAE 9112 03E4