httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Murcko <ch...@topsail.org>
Subject Re: PROPOSAL: new directive for mod_proxy
Date Fri, 01 Mar 2002 18:11:34 GMT
Sorry this is late - I lost the original email.

I think reverse proxy is usable all the time - mod_rewrite uses it by 
generating an internal request. And you can put rewrite+reverse proxy 
rules (possibly using [P] flag) into .htaccess.

It's also conceptually less confusing to see adjacent default lines in 
the config

ProxyPass off    #forward proxy
ReverseProxyPass on #reverse proxy

Or whatever we call it. The default values are for compatibility with 
other modules. I've seen also several instances lately where sites 
thought they needed ProxyPass on for reverse proxy _ rewrite but did 
not, and had inadvertently been getting exploited as open forward 
proxies. The opposite case from the original security implications of 
reverse proxy always on. So at the least it's currently confusing, and 
could stand to be more clearly and configurably enabled.

Chuck

On Sunday, February 17, 2002, at 03:32 PM, Ian Holsman wrote:

> Graham Leggett wrote:
>> This is a cryptographically signed message in MIME format.
>> --------------msCFE9391983F6F7937BC9AC92
>> Content-Type: text/plain; charset=us-ascii
>> Content-Transfer-Encoding: 7bit
>> Ian Holsman wrote:
>>> In that case
>>> +1
>>> ReverseProxyEngine On
>>> ?
>>>
>> I still don't understand why it is required.
>> Reverse proxy behaviour is switched on using ProxyPass, and as I
>> understand it also by some magic in mod_rewrite. Adding another
>> directive means to get reverse proxy behaviour you need to enable two
>> directives instead of just one - which doesn't make sense.
>
> ok.. from my understanding:
> you can write rewrite rules in a .htaccess file and they will be applied
> you can use rewrite to initate a reverse-proxy connection.
> so a unwilling administrator can open up his network by a malicious user
> that has access to a 'userdirectory' or somesuch on the main webserver.
>
> Is this right chuck?
>
>> What are you trying to achieve using this directive?
>> Regards,
>> Graham
>
>
>


Mime
View raw message