www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jay Soffian <...@cimedia.com>
Subject general/2680: <Directory proxy:*> does not work as intended in combination with mod_rewrite nor ProxyPass
Date Thu, 23 Jul 1998 17:25:13 GMT

>Number:         2680
>Category:       general
>Synopsis:       <Directory proxy:*> does not work as intended in combination with
mod_rewrite nor ProxyPass
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Jul 23 10:30:00 PDT 1998
>Last-Modified:
>Originator:     jay@cimedia.com
>Organization:
apache
>Release:        1.2.6, possibly 1.3
>Environment:
Linux redshift.cimedia.com 2.0.32 #19 Fri Jan 9 21:46:10 EST 1998 i686 unknown
>Description:
The docs for mod_proxy have the following to say about restricting access:

<Directory proxy:*>
order deny,allow
deny from [machines you'd like *not* to allow by IP address or name]
allow from [machines you'd like to allow by IP address or name]
</Directory>

However, if the deny line is 'deny from all' and the allow line is
'allow from [IP of localhost]', this does not work as expected in
combination with mod_rewrite's [proxy|P]' option. The IP used for
the comparison is not that of the localhost (as would be expected since
the proxy request is from the machine running apache to some remote machine),
rather it is of the machine which originated the request that caused the
[proxy|P] rule to trigger. For example, if I use the following directives:

<Directory proxy:*>
order deny,allow
deny from all
allow from [IP's of machine running apache]
<Directory>

with either:

ProxyRequests on
RewriteEngine on
RewriteRule ^/proxy/(.*) $1 [P]

or:

ProxyPass /proxy/ /
and then I access the machine running apache with a
GET /proxy/http://www.apache.org/ 

I get an access denied message with the following error log message:

[Thu Jul 23 13:02:05 1998] access to proxy:http://www.accessatlanta.com/ failed for 172.16.20.2,
reason: Client denied by server configuration

Here 172.16.20.2 is the address of the client making the GET request,
not the address of the machine running apache.

>How-To-Repeat:
Setup a configuration similar to above and test.
>Fix:
A workaround is that 'ProxyRequests on' is not needed with ProxyPass, so
this obviates the need for the <Directory proxy:*> section. Although
contrary to a note in the mod_rewrite docs, it appears that 'ProxyRequests on'
is also not needed with the [proxy|P] rewriterule option, again obviating
the need for the <directory proxy:*> section. However, this does not
fix the underlying problem.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]




Mime
View raw message