httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j...@osp.nl
Subject Re: Rewriting incoming & outgoing headers
Date Fri, 19 Jul 2002 07:33:51 GMT
Jul 19, 2002 at 09:20:58AM +0200
X-Last-Book-Read: "A big boy did it and ran away" by Christopher Brookmyre
X-Mini-Review: One more reason to play Quake III :-)
X-Full-Review: See http://josvisser.nl/bookcorner.html
X-Now-Reading: "Het evangelie volgens Jezus Christus" by José Saramago
X-URL: http://josvisser.nl
X-Message: Why not read http://josvisser.nl/groundzero.html

The biggest problem we have is with redirections that are being returned
to the browser. Because our web servers are behind a set of reverse
proxies (currently *three* deep! There is nothing I/we can do about that
because it is "corporate policy"), the web servers are not visible
directly from the outside. So there is a whole set of servers with
internal names (that are not known in the outside DNS) that all
masquerade behind www.bigacme.com/so_and_so...

We use the Netegrity SiteMinder product to implement single sign on
for the entire web server park. The SiteMinder web agent that is plugged
into each web server assesses whether a user has already logged in
(cookies) and if not redirects back to the logon web server which
performs the logon process (with all sorts of fancy smart card
technology if needed).

This means that SiteMinder returns a 30x reply with a Location header
that goes something like:

Location: http://loginserv.internal.bigacme.com?return=http://webserv.internal.bigacme.com

Both internal names are not visible from the outside, so the Location
header needs to be rewritten to contain a redirect to:

Location: http://www.bigacme.com/login?return=http://www.bigacme.come/some_app

(Examples are highly simplified and stylized, but you get the picture...)

Now, reverse proxies can typically rewrite the host part of the Location
header, but not the URI/Query_String part. We are having all sorts of
headaches with this. There are some related smaller problems as well
(e.g. the incoming Host header).

Now, I am the first to acknowledge that my customer's network/proxy/DNS
structure is all f*cked up, but it is out of my control (out of anyone's
control basically :-), hence my desire to solve it as good as I can in
the pieces that *are* under my control...

++Jos.nl

And thus it came to pass that Graham Leggett wrote:
(on Fri, Jul 19, 2002 at 09:20:58AM +0200 to be exact)

> josv@osp.nl wrote:
> 
> > Now, your opinion is greatly valued on the following:
> > 
> > - Is my reasoning about the impossibility to achieve this with a
> >   (standard) module correct?
> > - Would a generic header rewriting feature be deemed a worthwhile
> >   addition to the core?
> 
> First off - what are the problems that exist you are trying to solve?
> 
> The minute I see the requirement to start rewriting things all over
> the 
> show my instinct kicks in saying "simplify, simplify".
> 
> Regards,
> Graham
> -- 
> -----------------------------------------
> minfrin@sharp.fm 
>       "There's a moon
>                                       over Bourbon Street
>                                               tonight..."

-- 
"Freedom" is just another word for "nothing left to lose"...


Mime
View raw message