mod_rewrite, mod_proxy and AAA

Hi.

environment : Apache 2.2, all platforms

In the doc. for RewriteRule it specifies :
Context: server config, virtual host, directory, .htaccess

Similarly, the doc. for ProxyPass indicates :
Context: server config, virtual host, directory

Does the above mean that they apply also to a section ?
Looking at http://httpd.apache.org/docs/2.2/sections.html
it seems so, but I'd like to be sure.


Underlying question :

I currently have the following directives in a :

RewriteRule ^/cgi-bin/script.pl$ /getit [P]
ProxyPass /getit http://another-host.com/getit
ProxyPassReverse /getit http://another-host.com/getit

this works fine.

I would like however, that *before* the above proxying to the back-end
takes place, such requests would be subject to AAA on the front-end
server. For this, I would define a as follows :

RewriteRule ^/cgi-bin/script.pl$ /getit [L]
....

Authname something
... (other AAA-related directives)
ProxyPass ^.* http://another-host.com/getit
ProxyPassReverse / http://another-host.com/


Would that work ?
I am asking because this is a production server, with no real good test
server available for testing this beforehand.

Thanks.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: mod_rewrite, mod_proxy and AAA

On Sun, Oct 25, 2009 at 12:12 PM, Andr=E9 Warnier wrote:

> Similarly, the doc. for ProxyPass indicates :
> Context: =A0 =A0 =A0 =A0server config, virtual host, directory
>
> Does the above mean that they apply also to a section ?

You can use Proxy and ProxyPass directives in a container,
but the syntax changes. As the docs mention:

"When used inside a section, the first argument is omitted
and the local directory is obtained from the ."

So this:

ProxyPass /getit http://another-host.com/getit
ProxyPassReverse /getit http://another-host.com/getit

And this:


ProxyPass http://another-host.com/getit
ProxyPassReverse http://another-host.com/getit


Are both equivalent...


> I would like however, that *before* the above proxying to the back-end ta=
kes
> place, such requests would be subject to AAA on the front-end server. =A0=
For
> this, I would define a as follows :

If you want to use a block to protect proxied content you
will need to use the url you're proxying too.
So this would have to be:


# AAA directives


So you can't really combine them with your Proxy directive...

In your case though I would use a block. Makes it easier for
the next person reading your config to understand what is going on.

So then your config would become something like:

RewriteRule ^/cgi-bin/script.pl$ /getit [P]
ProxyPass /getit http://another-host.com/getit
ProxyPassReverse /getit http://another-host.com/getit


# Your AAA directives go here...


This aproach has the advantage that you are actually protecting the
_target_ of your rewrite (which is what I asume you want), and not the
original URL. So even if you proxy other URLs to your backend they
will also require authentication.

BTW, you could combine your rewrite and your proxypass statements:

RewriteRule ^/cgi-bin/script.pl$ /getit http://another-host.com/getit [P]

HTH,

Krist






--=20
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: mod_rewrite, mod_proxy and AAA

Krist,

I tried to find examples in mod_rewrite and mod_proxy, but did not quite
find anything that really fit my issue.
But this nicely fills in the blanks, and is exactly what I needed.

And about
> "When used inside a section, the first argument is omitted
> and the local directory is obtained from the ."

Yep. I looked, but missed the last 2 phrases of that ProxyPass section..
Enhancement suggestion : ...

Thanks, a lot.
André

Krist van Besien wrote:
> On Sun, Oct 25, 2009 at 12:12 PM, André Warnier wrote:
>
>> Similarly, the doc. for ProxyPass indicates :
>> Context: server config, virtual host, directory
>>
>> Does the above mean that they apply also to a section ?
>
> You can use Proxy and ProxyPass directives in a container,
> but the syntax changes. As the docs mention:
>
> "When used inside a section, the first argument is omitted
> and the local directory is obtained from the ."
>
> So this:
>
> ProxyPass /getit http://another-host.com/getit
> ProxyPassReverse /getit http://another-host.com/getit
>
> And this:
>
>
> ProxyPass http://another-host.com/getit
> ProxyPassReverse http://another-host.com/getit
>
>
> Are both equivalent...
>
>
>> I would like however, that *before* the above proxying to the back-end takes
>> place, such requests would be subject to AAA on the front-end server. For
>> this, I would define a as follows :
>
> If you want to use a block to protect proxied content you
> will need to use the url you're proxying too.
> So this would have to be:
>
>
> # AAA directives
>
>
> So you can't really combine them with your Proxy directive...
>
> In your case though I would use a block. Makes it easier for
> the next person reading your config to understand what is going on.
>
> So then your config would become something like:
>
> RewriteRule ^/cgi-bin/script.pl$ /getit [P]
> ProxyPass /getit http://another-host.com/getit
> ProxyPassReverse /getit http://another-host.com/getit
>
>
> # Your AAA directives go here...
>
>
> This aproach has the advantage that you are actually protecting the
> _target_ of your rewrite (which is what I asume you want), and not the
> original URL. So even if you proxy other URLs to your backend they
> will also require authentication.
>
> BTW, you could combine your rewrite and your proxypass statements:
>
> RewriteRule ^/cgi-bin/script.pl$ /getit http://another-host.com/getit [P]
>
> HTH,
>
> Krist
>
>
>
>
>
>


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: mod_rewrite, mod_proxy and AAA

On Sun, Oct 25, 2009 at 7:12 AM, Andr=E9 Warnier wrote:
> Hi.
>
> environment : Apache 2.2, all platforms
>
> In the doc. for RewriteRule it specifies :
> Context: =A0 =A0 =A0 =A0server config, virtual host, directory, .htaccess
>
> Similarly, the doc. for ProxyPass indicates :
> Context: =A0 =A0 =A0 =A0server config, virtual host, directory
>
> Does the above mean that they apply also to a section ?
> Looking at http://httpd.apache.org/docs/2.2/sections.html
> it seems so, but I'd like to be sure.
>
>
> Underlying question :
>
> I currently have the following directives in a :
>
> =A0 =A0 =A0 =A0RewriteRule ^/cgi-bin/script.pl$ /getit [P]

P flag intended, or PT?

--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org