httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Jeffray <...@jeffray.co.uk>
Subject Re: [users@httpd] Proxy on multiple ports - 2nd port has less facilities?
Date Wed, 13 Oct 2004 17:14:34 GMT
Alexander Stoll wrote:
> Ian Jeffray schrieb:
> 
>> EXCEPT:  Requests to the proxy on this 2nd port cannot get
>> pages from the websites hosted by apache itself.  Very odd.
>> The requests just get forwarded out of the system, which
>> then cannot find the server in question (it basically tries
>> to request out of our firewall for something which is inside it
>> and should have been handled, so gets blocked there, in any
>> case, I don't want requests going out of the firewall, router,
>> then back in it... that's just silly).
>>
>> Has anyone else come across this issue with the proxy server
>> or have any ideas what may be causing it?
> 
> 
> without further description of your topologie, this sounds like your 
> proxy tries to fetch a page from the site that resolves to an official 
> ip, your system only knows the default route via FW and it is routing 
> the request back "in"...

Yes, that does sound like what it's doing on non-port-80-proxy-requests.
That was my original question.  The request should never get as far as
the firewall machine;  because the name matches the site that apache
itself is hosting, it should serve it directly.

This *DOES* work when talking to the apache proxy on port 80 but not
when talking to it via another "Listen"-assigned port.

> Is your FW performing any NAT for the unproxied HTTP-Host?

Yes, but that's really not the point, the request should never go
anywhere near the FW/NAT.

Clients -> [Proxy|Server] -> Firewall -> Internet

The clients using the proxy, to get to "Server" should never end up
having "Proxy" send a packet to "Firewall"... because it should all
be handled inside apache, and IS handled, for proxy requests on port
80.

Compare:

==================
ian@puffin $ telnet proxy 80
Trying 10.0.0.253...
Connected to proxy.
Escape character is '^]'.
GET http://www.mydomain.co.uk/ HTTP/1.0

HTTP/1.1 200 OK
===================
<web page from www.mydomain.co.uk follows as expected>


===================
ian@puffin $ telnet proxy 3128
Trying 10.0.0.253...
Connected to proxy.
Escape character is '^]'.
GET http://www.mydomain.co.uk/ HTTP/1.0

HTTP/1.1 401 Unauthorized
Date: Wed, 13 Oct 2004 17:07:22 GMT
Server: ZyXEL-RomPager/3.02
====================
<http request blocked at firewall as they should never get that far>
====================

Apache listens on both port 80 and 3128.

My question could perhaps be put more simply;   why do proxy requests
to any port other than the "Port" assigned port appear to not go
through the same internal ruleset?

Ian.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message