httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <tevans...@googlemail.com>
Subject Re: [users@httpd] Re: Problem with ProxyPass
Date Thu, 07 Oct 2010 13:52:41 GMT
On Thu, Oct 7, 2010 at 1:27 PM, Michelle Konzack
<linux4michelle@tamay-dogan.net> wrote:
> Hello Tom Evans,
>
> Am 2010-10-07 10:55:59, hacktest Du folgendes herunter:
>> On Thu, Oct 7, 2010 at 6:51 AM, Michelle Konzack
>> <linux4michelle@tamay-dogan.net> wrote:
>> > ----[ '/etc/apache2/conf.d/apache_proxy' ]------------------------------
>> > NameVirtualHost         192.168.0.69:80
>> >
>> > <VirtualHost 192.168.0.69:80>
>> >    ServerName          www.tdipmedia.net
>> >    ProxyPass           / http://192.168.0.208:80/
>> >    ProxyPassReverse    / http://192.168.0.208:80/
>> >    <Directory proxy:http://192.168.0.208:80/*>
>> >        Order           deny,allow
>> >        Allow           from all
>> >    </Directory>
>> > </VirtualHost>
>> > ------------------------------------------------------------------------
>> Your config doesn't look right to me:
>
> Hmmm, since my three pootle instances where confliction with  Apache,  I
> have setup last year the following config which is working:
>
> ----[ '/VServer_10/APACHE_available/pootle.tdwave.net' ]----------------
> <VirtualHost 192.168.0.69:80>
>    ServerAdmin         linux4michelle@tamay-dogan.net
>    ServerName          pootle.tdwave.net
>
>    ProxyPass          /images !
>    ProxyPass          /js !
>    ProxyPass          /pootle.css !
>    ProxyPass          /favicon.ico !
>    ProxyPass          / http://localhost:8888/
>    ProxyPassReverse   / http://localhost:8888/
>    <Directory proxy:http://localhost:8888/*>
>        Order          deny,allow
>        Allow          from all
>    </Directory>
>
>    DocumentRoot        /usr/share/pootle/html/
>    <Directory /usr/share/pootle/html/>
>        Order           deny,allow
>        Allow           from all
>    </Directory>
>
>    <Directory />
>        Options         FollowSymLinks Indexes
>        AllowOverride   None
>        Order           deny,allow
>        Allow           from all
>    </Directory>
>
>    # debug, info, notice, warn, error, crit, alert, emerg.
>    LogLevel            warn
>    ErrorLog            /VServer_10/CONFIG_pootle.tdwave.net/log/apache/error.log
>
>    LogFormat           "%{[%Y-%m-%d %H:%M:%S %z]}t %h [%V] %l %u \"%r\" %>s
%b \"%{Referer}i\" \"%{User-Agent}i\"" vhost
>    CustomLog           /VServer_10/CONFIG_pootle.tdwave.net/log/apache/access.log
vhost
>
>    ServerSignature     On
> </VirtualHost>
> ------------------------------------------------------------------------
>
> and now modified it.  the only difference is, that the newServer is  NOT
> on <localhost> but on IP <192.168.0.208>
>
>>     NameVirtualHost         192.168.0.69:80
>>
>> This says 'When a request comes in on the socket listening on IP
>> 192.168.0.69, port 80, use the Host header from the request to infer
>> the virtualhost to use'.
>
> Right
>
>> <VirtualHost 192.168.0.69:80>
>>    ServerName          www.tdipmedia.net
>>
>> </VirtualHost>
>>
>> This says: 'When a request comes in on 192.168.0.69:80, with Host
>> header 'www.tdipmedia.net', use this virtualhost to serve the request'
>
> Right too.
>
>>    ProxyPass           / http://192.168.0.208:80/
>>    ProxyPassReverse    / http://192.168.0.208:80/
>>
>> This says: 'Proxy / to the website on http://192.168.0.208:80/'
>
> Right too.
>
>>    <Directory proxy:http://192.168.0.208:80/*>
>>        Order           deny,allow
>>        Allow           from all
>>    </Directory>
>>
>> This is nonsense. A <Directory> refers to a disk location, nothing
>> else. If you wish to restrict who can access a reverse proxy, use a
>> <Proxy> directive or a <Location> directive.
>
> Hmmm...
>
>> Well, you haven't specified anything in your config that would result
>> in a redirect, you have configured a proxy. Apart from that...
>>
>> So there are a couple of things you can check.
>>
>> 1) When you connect to the webserver, are you connecting to 192.168.0.69:80 ?
>
> Yes, and I get:
>
> ----[ command 'wget -S -O /dev/null http://www.tdipmedia.net/' ]--------
>
> --2010-10-07 14:26:26--  http://www.tdipmedia.net/
> Resolving www.tdipmedia.net... 88.168.69.36
> Connecting to www.tdipmedia.net|88.168.69.36|:80... connected.
> HTTP request sent, awaiting response...
>  HTTP/1.1 403 Forbidden
>  Date: Thu, 07 Oct 2010 12:26:26 GMT
>  Content-Length: 390
>  Keep-Alive: timeout=15, max=100
>  Connection: Keep-Alive
>  Content-Type: text/html; charset=iso-8859-1
> 2010-10-07 14:26:26 ERROR 403: Forbidden.
>
> ------------------------------------------------------------------------
>
> <88.168.69.36> is my fixed PUBLIC IP address  and  all  :80  traffic  is
> redirected to my DMZ on <192.168.0.69> and some of the servers should be
> proxyied to Servers behind it like the <192.168.0.208>.
>
>> 2) What Host header are you sending to the server? Typically a browser
>> will send the host portion of the URL you type in the address bar -
>> does that match 'www.tdipmedia.net'?
>> 3) Where are your logs? What 'does not work' - explain what you've
>> tried, what the server does when you try that, and what error/info
>> messages are printed in the access and error logs.
>
> [Thu Oct 07 14:16:45 2010] [error] [client 192.168.0.65] client denied by server configuration:
proxy:http://192.168.0.208:80/
>
> Thanks, Greetings and nice Day/Evening
>    Michelle Konzack
>
> --

Can you spot the difference, or shall I point it out? :)

In your working vhost, you have specified a documentroot, and have
granted access to it. In your non working vhost, you haven't done
either, and your <Directory> block doesn't ever get applied, thus
requests are denied.

Either replace your <Directory> block with an appropriate <Location>
block, or give your vhost an empty document root, and change your
Directory block to point at that (/var/empty is where I usually use).

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message