httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] Security glitch with Rewrite and Proxy
Date Thu, 28 Sep 2006 15:43:18 GMT
On 9/28/06, Germer, Carsten <carsten.germer@desy.de> wrote:
> Red box? I don't see a red box on this page? Wait... I'll take of my
> see-the-world-in-pink-glasses...
> Oh, that red box! >_< Gah, I'm sorry. I've updated my apache but haven't
> read the new documentation.
>
> Soooo, since our system is quite dependant on apaches caching, any good
> ideas on how to work around that effect?
> Does it necessarilly mean I have to ommit the [P] if I want to do what I
> want to do?

Unfortunately, (and as has already been discussed on the development
list) I don't see any easy solutions for your problem.  The problem is
not the [P].  The problem is that you can't do caching and access
control on the same server.  It is, to some degree, a weakness in
mod_cache's design.  It only works for public sites.

The only solution is to put the access control in front of the cache.
For example, you could have your firewall restrict what IPs can access
the cache rather than doing it through mod_rewrite.  Alternatively, if
the back-end (8080) server is running apache, you could put the cache
on that server instead.  Or, in the worst case, you could do a
double-proxy.  The front-end machine would have mod_rewrite, but no
cache.  It would then pass on the requests using [P] to an
intermediate server (say on port 7070), with mod_cache.  Then this
server would proxy back to 8080 to get the content.  Doesn't sound
like a lot of fun to me.

I think in the ideal world, mod_cache would implement a <Cache>
section, and anything inside that section would be run before the
cache access.  But that isn't going to happen any time soon.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message