httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sander van Zoest <san...@vanZoest.com>
Subject Re: 301 Redirect through a firewall... Possible to hide the origin server ip address?
Date Sun, 16 Sep 2001 22:38:40 GMT
On Fri, 14 Sep 2001, Bill Stoddard wrote:

> Browser hits an Apache server through a firewall with a request like this:
>
> GET /manual HTTP/1.0
>
> manual is a directory which results in the server issuing a redirect thusly
>
> HTTP/1.1 301 Moved Permanently
> Date: Fri, 14 Sep 2001 17:37:22 GMT
> Server: Apache/1.3.20 (Unix)
> Location: http://origin_server/manual/
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> The origin server sits behind a firewall. The problem is that the Location
> header field contains the origin server name, not the name of the firewall,
> which is a bit of a security exposure.
>
> I really have no good ideas on how to prevent the location header field from
> having the origin_server name/address. Thoughts?

Did you use the ProxyPassReverse directive as described on
<http://httpd.apache.org/docs/mod/mod_proxy.html>

If I understand your problem correctly, having the above directive added
to your firewall (httpd/wmod_proxy?) httpd config, should fix the issue.

I do not think it makes sense to add a "fix" on the origin server, since
it is something that the firewall should handle.

Cheers,

--
Sander van Zoest                                          sander@vanzoest.com
High Geek                                         http://Sander.vanZoest.com/


Mime
View raw message