Reverse Proxy / Redirection /mod_ext_filter / mod_headers

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Reverse Proxy / Redirection /mod_ext_filter / mod_headers

Farid Izem
Hi all,

I trying to reverse proxied a internal website.
Reverse proxy is well set but i encountered the followings problem :
When i authenticated against the internal Web Server, the application send back
To the client a redirection which indicates where to send it requests.

This is what i get throw ethereal :

HTTP/1.0 303 Redirecting
Server: httpd/1.0 Python/2.3.4
Date: Wed, 27 Apr 2005 08:53:36 GMT
Content-Type: text/html
Set-Cookie: sid=4i00qh0VGUi3OVV8xt1x; Max-Age=3600; Path=/;
Cache-Control: no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
Expires: Wed, 27 Apr 2005 08:53:36 GMT
Last-Modified: Wed, 27 Apr 2005 08:53:36 GMT
Location: http://192.168.1.195:8000/tracking/Tracking

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html40/loose.dtd">

<html>
<head>
  <title>: Redirecting
</title>
<meta http-equiv="Refresh" content="0;
URL=http://192.168.1.195:8000/tracking/Tracking" />

   
</head>
<body><h1>Redirecting</h1>

<p>
  Click <a href="http://192.168.1.195:8000/tracking/Tracking">here</a>
if your browser does not automatically redirect
  you.
</p>
</body>
</html>

Would it be possible to rewrite each 192.168.1.195:8000 to the ip
address:port of the reverse proxy ? Which modules should i use and how
?

I try using mod_ext_filter but i still get the followings error :

(32)Broken pipe: apr_file_write(child input), len 0

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Reverse Proxy / Redirection /mod_ext_filter / mod_headers

Joshua Slive
On 4/27/05, Farid Izem <[hidden email]> wrote:
> I trying to reverse proxied a internal website.
> Reverse proxy is well set but i encountered the followings problem :
> When i authenticated against the internal Web Server, the application send back
> To the client a redirection which indicates where to send it requests.

> Would it be possible to rewrite each 192.168.1.195:8000 to the ip
> address:port of the reverse proxy ? Which modules should i use and how

That is the point of the ProxyPassReverse directive.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Reverse Proxy / Redirection /mod_ext_filter / mod_headers

Farid Izem
Dear Joshua,

Aren't you saying Apache Reverse Proxy is able to rewrite any
occurences of a the
Destination ip address without any external module even if the ip
address or fully
Qualified Domain is hard coded in the body of the Internet Page ?

Don't you think you are wrong this time ?
Isn't this layer 7 content scanning and Filtering, is this ?

==>
meta http-equiv="Refresh"
content="0;URL=http://192.168.1.195:8000/tracking/Tracking" />

With this, both Firefox and Internet Explorer, are bypasing the proxy and go
Directly to http://192.168.1.195:8000/tracking/Tracking after
Authentication Site
Has been process throught the proxy :

This is the way is occured =>

1°) http://reverseProxy:8181 
2°) Authentication Page throught Remote Site (on 192.168.1.195:8000)
 

On 4/27/05, Joshua Slive <[hidden email]> wrote:

> On 4/27/05, Farid Izem <[hidden email]> wrote:
> > I trying to reverse proxied a internal website.
> > Reverse proxy is well set but i encountered the followings problem :
> > When i authenticated against the internal Web Server, the application send back
> > To the client a redirection which indicates where to send it requests.
>
> > Would it be possible to rewrite each 192.168.1.195:8000 to the ip
> > address:port of the reverse proxy ? Which modules should i use and how
>
> That is the point of the ProxyPassReverse directive.
>
> Joshua.
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Reverse Proxy / Redirection /mod_ext_filter / mod_headers

Joshua Slive
On 4/27/05, Farid Izem <[hidden email]> wrote:
> Dear Joshua,
>
> Aren't you saying Apache Reverse Proxy is able to rewrite any
> occurences of a the
> Destination ip address without any external module even if the ip
> address or fully
> Qualified Domain is hard coded in the body of the Internet Page ?

I didn't notice the <meta refresh>.  ProxyPassReverse will rewrite the
Location HTTP response header, and I expect that the browser will use
that in preference to the <meta refresh> tag.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Reverse Proxy / Redirection /mod_ext_filter / mod_headers

Farid Izem
Joshua,

You were right about Location. The Reverse Proxy must handle it.
I made some snoop trace and i confirmed you that the destination ip address is
Hard coded in the response.

So, i'm still trying to use mod_ext_filter.so to rewrite each
occurence of 192.168.1.195.

This is what i've done in httpd.conf :

ExtFilterDefine fixtext mode=output intype=text/html
cmd="/usr/bin/sed s/http:\/\/192\.168\.1\.195/http:\/\/ReverseProxy/g"

<Proxy *>
  Order allow,deny
  Allow from all
  SetOutputFilter fixtext
  ExtFilterOptions DebugLevel=3
</Proxy>

This is what i get from the log :
[Thu Apr 28 13:36:54 2005] [debug] proxy_http.c(67): proxy: HTTP:
canonicalising URL //192.168.1.195:8000/
[Thu Apr 28 13:36:54 2005] [debug] mod_proxy.c(418): Trying to run
scheme_handler
[Thu Apr 28 13:36:54 2005] [debug] proxy_http.c(1059): proxy: HTTP:
serving URL http://192.168.1.195:8000/
[Thu Apr 28 13:36:54 2005] [debug] proxy_http.c(186): proxy: HTTP
connecting http://192.168.1.195:8000/ to 192.168.1.195:8000
[Thu Apr 28 13:36:54 2005] [debug] proxy_util.c(1139): proxy: HTTP:
fam 2 socket created to connect to 192.168.1.195
[Thu Apr 28 13:36:54 2005] [debug] proxy_http.c(336): proxy: socket is connected
[Thu Apr 28 13:36:54 2005] [debug] proxy_http.c(370): proxy:
connection complete to 192.168.1.195:8000 (192.168.1.195)
[Thu Apr 28 13:36:55 2005] [debug] proxy_http.c(893): proxy: start body send
[Thu Apr 28 13:36:55 2005] [debug] mod_ext_filter.c(605): [client
192.168.2.47] filtering `/' of type `text/html'
 through `/usr/bin/sed', cfg ExtFilterOptions DebugLevel=3 NoLogStderr
!PreserveContentLength ExtFilterInType tex
t/html ExtFilterOuttype (unchanged)
[Thu Apr 28 13:36:55 2005] [error] [client 192.168.2.47] (32)Broken
pipe: apr_file_write(child input), len 0
[Thu Apr 28 13:36:55 2005] [debug] proxy_http.c(953): proxy: end body send

It seems there is a problem with mod_ext_filter :
[Thu Apr 28 13:36:55 2005] [error] [client 192.168.2.47] (32)Broken
pipe: apr_file_write(child input), len 0

How can i solve it ? What is the mistake in my configuration ?

Thanks for you  help.

King Regards,

Farid

On 4/27/05, Joshua Slive <[hidden email]> wrote:

> On 4/27/05, Farid Izem <[hidden email]> wrote:
> > Dear Joshua,
> >
> > Aren't you saying Apache Reverse Proxy is able to rewrite any
> > occurences of a the
> > Destination ip address without any external module even if the ip
> > address or fully
> > Qualified Domain is hard coded in the body of the Internet Page ?
>
> I didn't notice the <meta refresh>.  ProxyPassReverse will rewrite the
> Location HTTP response header, and I expect that the browser will use
> that in preference to the <meta refresh> tag.
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [hidden email]
>    "   from the digest: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Reverse Proxy / Redirection /mod_ext_filter / mod_headers

Joshua Slive
[Sorry, I sent my reply to you when I ment to send it to the list.
Redirecting my reply to your reply back to the list.]

On 4/28/05, Farid Izem <[hidden email]> wrote:

> Dear Joshua,
>
> Computer Science is both my job and my passion.
> As you mentionned, i shoudn't need to do what i'm asking for.
> But i not responsible for bad self commercials developments.
> I'm just looking for a workaround to improve security around open source
> Solutions such as Linux, Apache, Squid, Postfix, Openldap, Openssh and
> BSD World.
>
> My best problem is to understand why mod_ext_filter is not working either
> i think this is not the proper solution. I've spent a lot of time compiling
> Apache, Configuring mod_ssl, mod_auth_ldap, mod_proxy, mod_rewrite
> so i will not stop now until i understand mod_ext_filter.
>
> King Regards,
>
> Farid.
>
> On 4/28/05, Joshua Slive <[hidden email]> wrote:
> > On 4/28/05, Farid Izem <[hidden email]> wrote:
> > > Joshua,
> > >
> > > You were right about Location. The Reverse Proxy must handle it.
> > > I made some snoop trace and i confirmed you that the destination ip address is
> > > Hard coded in the response.
> > >
> > > So, i'm still trying to use mod_ext_filter.so to rewrite each
> > > occurence of 192.168.1.195.
> >
> > As I mentioned, you shouldn't need to do this because all sane
> > browsers will ignore the body part of redirects.  They only look at
> > the HTTP response headers.
> >
> > If you still want to rewrite proxy bodys, look at mod_proxy_html.

Well, if what you want is to learn to use mod_ext_filter, I'd start
with a simpler scenario.  In particular, start with trying to filter
something that doesn't originate in the reverse proxy.  That would
help you to figure out if your problem is an interaction of mod_proxy
and mod_ext_filter.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]