Control access to files with proxies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm using a proxy to go to php file, to be sure the request comes from a script in the server.

At /var/www/vhosts/domain.com/httpdocs (the document root of this virtual host)
In the .htaccess file:

    RewriteCond %{SCRIPT_FILENAME} -l
    RewriteCond %{REQUEST_URI} tmp$
    RewriteRule .* http://domain.com/proxy/tmpr.php [P]

Symlink - the symlink goes to another file but is not important because a proxy is used later to another file
lrwxrwxrwx.  1 root   root        54 ago 14 21:11 tmp -> /var/www/vhosts/domain.com/httpdocs/proxy/tmp.php

At /var/www/vhosts/domain.com/httpdocs/proxy (Directory have got AllowOverride at .conf file)
There is another .htacces file

    RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.12
    RewriteRule .* - [F]

    RewriteRule ^directory/(.*)$ ajp://localhost:8009/directory/$1 [P]


192.168.1.12 is a local ipv4 address where apache server is located

The test is made from another local ip address 192.168.1.10
When I browse domain.com/tmp, a proxy request is made to domain.com/proxy/tmpr.php correctly
If I try to browse directly to domain.com/proxy/tmpr.php I'm being redirected to Forbidden 403 correctly


At tmpr.php file:

    <?php
    foreach($_SERVER as $key_name => $key_value) {

    print $key_name . " = " . $key_value . "<br>";

    }
    ?>

    <applet id='applet' codebase="" code='applet.applettest' archive='./sappletTest.jar' width=1 height=1>
    </applet>


The applet is a signed jar file, and it works without these two lines from any ip:
    RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.12
    RewriteRule .* - [F]
And browsing domain.com/proxy/tmpr.php directly is showing a text message in the init() method.

And the log shows the OK for this proxy, in the log.
RewriteRule ^directory/(.*)$ ajp://localhost:8009/directory/$1 [P]


When browsing domain.com/tmp proxy is activated
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (1) [perdir /var/www/vhosts/domain.com/httpdocs/] go-ahead with proxy request proxy:http://domain.com/proxy/tmpr.php [OK]
I'm accessing to tmpr.php like REMOTE ADDR 192.168.1.12
192.168.1.12 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (4) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.12' pattern='!^192\\.168\\.1\\.12' => not-matched

The php code executed at tmpr.php

    HTTP_HOST = domain.com
    HTTP_ACCEPT = text/html, application/xhtml+xml, */*
    HTTP_ACCEPT_LANGUAGE = es-ES
    HTTP_USER_AGENT = Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
    HTTP_ACCEPT_ENCODING = gzip, deflate
    HTTP_DNT = 1
    HTTP_X_FORWARDED_FOR = 192.168.1.10
    HTTP_X_FORWARDED_HOST = domain.com
    HTTP_X_FORWARDED_SERVER = domain.com
    HTTP_CONNECTION = Keep-Alive
    PATH = /sbin:/usr/sbin:/bin:/usr/bin
    SERVER_SIGNATURE =
    Apache/2.2.15 (CentOS) Server at domain.com Port 80

    SERVER_SOFTWARE = Apache/2.2.15 (CentOS)
    SERVER_NAME = domain.com
    SERVER_ADDR = 192.168.1.12
    SERVER_PORT = 80
    REMOTE_ADDR = 192.168.1.12

If I access to the domain.com/proxy/tmpr.php without these two Rewrite lines

    RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.12
    RewriteRule .* - [F]

REMOTE_ADDR = 192.168.1.10 is showed.

    DOCUMENT_ROOT = /var/www/vhosts/domain.com/httpdocs
    SERVER_ADMIN = admin@xxxxxxxxxx
    SCRIPT_FILENAME = /var/www/vhosts/domain.com/httpdocs/proxy/tmpr.php
    REMOTE_PORT = 35750
    GATEWAY_INTERFACE = CGI/1.1
    SERVER_PROTOCOL = HTTP/1.1
    REQUEST_METHOD = GET
    QUERY_STRING =
    REQUEST_URI = /proxy/tmpr.php
    SCRIPT_NAME = /proxy/tmpr.php
    PHP_SELF = /proxy/tmpr.php
    REQUEST_TIME = 1377172173


But the problem is the next part of the code, the applet tag is executed without the proxy in the same request.
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (4) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10' pattern='!^192\\.168\\.1\\.12' => matched

192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] add path info postfix: /var/www/vhosts/domain.com/httpdocs/proxy/directory -> /var/www/vhosts/domain.com/httpdocs/proxy/directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/domain.com/httpdocs/proxy/directory/sappletTest.jar -> directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] applying pattern '.*' to uri 'directory/sappletTest.jar'
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (4) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10' pattern='!^192\\.168\\.1\\.12' => matched
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (2) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] forcing responsecode 403 for /var/www/vhosts/domain.com/httpdocs/proxy/directory

If tmpr.php is accessed, through proxy request, an unique request.
Why part of code is not executed through proxy, if the code of the file is obtained through this proxy.


The worst thing is two days ago this was working correctly, I had tested few times.
Today I have got a pseudo proxy.


You can see the log below, and proxies behavior. (Ignore the favicon.icon logs)

RewriteLog accesing domain.com/tmp (an unique request)
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/] strip per-dir prefix: /var/www/vhosts/domain.com/httpdocs/tmp -> tmp
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/] applying pattern '.*' to uri 'tmp'
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (4) [perdir /var/www/vhosts/domain.com/httpdocs/] RewriteCond: input='/var/www/vhosts/domain.com/httpdocs/tmp' pattern='-l' => matched
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (4) [perdir /var/www/vhosts/domain.com/httpdocs/] RewriteCond: input='/tmp' pattern='tmp$' => matched
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (2) [perdir /var/www/vhosts/domain.com/httpdocs/] rewrite 'tmp' -> 'http://domain.com/proxy/tmpr.php'
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (2) [perdir /var/www/vhosts/domain.com/httpdocs/] escaped URI in per-dir context for proxy, http://domain.com/proxy/tmpr.php -> http://domain.com/proxy/tmpr.php
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (2) [perdir /var/www/vhosts/domain.com/httpdocs/] forcing proxy-throughput with http://domain.com/proxy/tmpr.php
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (1) [perdir /var/www/vhosts/domain.com/httpdocs/] go-ahead with proxy request proxy:http://domain.com/proxy/tmpr.php [OK]
192.168.1.12 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/domain.com/httpdocs/proxy/tmpr.php -> tmpr.php
192.168.1.12 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] applying pattern '.*' to uri 'tmpr.php'
192.168.1.12 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (4) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.12' pattern='!^192\\.168\\.1\\.12' => not-matched
192.168.1.12 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/domain.com/httpdocs/proxy/tmpr.php -> tmpr.php
192.168.1.12 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] applying pattern '^directory/(.*)$' to uri 'tmpr.php'
192.168.1.12 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (1) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] pass through /var/www/vhosts/domain.com/httpdocs/proxy/tmpr.php
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/] strip per-dir prefix: /var/www/vhosts/domain.com/httpdocs/favicon.ico -> favicon.ico
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/] applying pattern '.*' to uri 'favicon.ico'
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (4) [perdir /var/www/vhosts/domain.com/httpdocs/] RewriteCond: input='/var/www/vhosts/domain.com/httpdocs/favicon.ico' pattern='-l' => not-matched
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/] strip per-dir prefix: /var/www/vhosts/domain.com/httpdocs/favicon.ico -> favicon.ico
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/] applying pattern '.*' to uri 'favicon.ico'
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (4) [perdir /var/www/vhosts/domain.com/httpdocs/] RewriteCond: input='/favicon.ico' pattern='\\..+$' => matched
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (4) [perdir /var/www/vhosts/domain.com/httpdocs/] RewriteCond: input='/favicon.ico' pattern='!\\.html$' => matched
192.168.1.10 - - [22/Aug/2013:13:49:33 +0200] [domain.com/sid#1edcb20][rid#2159348/initial] (1) [perdir /var/www/vhosts/domain.com/httpdocs/] pass through /var/www/vhosts/domain.com/httpdocs/favicon.ico
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] add path info postfix: /var/www/vhosts/domain.com/httpdocs/proxy/directory -> /var/www/vhosts/domain.com/httpdocs/proxy/directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/domain.com/httpdocs/proxy/directory/sappletTest.jar -> directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] applying pattern '.*' to uri 'directory/sappletTest.jar'
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (4) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10' pattern='!^192\\.168\\.1\\.12' => matched
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (2) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] forcing responsecode 403 for /var/www/vhosts/domain.com/httpdocs/proxy/directory
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] add path info postfix: /var/www/vhosts/domain.com/httpdocs/proxy/directory -> /var/www/vhosts/domain.com/httpdocs/proxy/directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/domain.com/httpdocs/proxy/directory/sappletTest.jar -> directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] applying pattern '.*' to uri 'directory/sappletTest.jar'
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (4) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10' pattern='!^192\\.168\\.1\\.12' => matched
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (2) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] forcing responsecode 403 for /var/www/vhosts/domain.com/httpdocs/proxy/directory
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] add path info postfix: /var/www/vhosts/domain.com/httpdocs/proxy/directory -> /var/www/vhosts/domain.com/httpdocs/proxy/directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/domain.com/httpdocs/proxy/directory/sappletTest.jar -> directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] applying pattern '.*' to uri 'directory/sappletTest.jar'
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (4) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10' pattern='!^192\\.168\\.1\\.12' => matched
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215b350/initial] (2) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] forcing responsecode 403 for /var/www/vhosts/domain.com/httpdocs/proxy/directory
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] add path info postfix: /var/www/vhosts/domain.com/httpdocs/proxy/directory -> /var/www/vhosts/domain.com/httpdocs/proxy/directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/domain.com/httpdocs/proxy/directory/sappletTest.jar -> directory/sappletTest.jar
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] applying pattern '.*' to uri 'directory/sappletTest.jar'
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (4) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10' pattern='!^192\\.168\\.1\\.12' => matched
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (2) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] forcing responsecode 403 for /var/www/vhosts/domain.com/httpdocs/proxy/directory
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] add path info postfix: /var/www/vhosts/domain.com/httpdocs/proxy/directory -> /var/www/vhosts/domain.com/httpdocs/proxy/directory/applet/appletTest.class
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/domain.com/httpdocs/proxy/directory/applet/appletTest.class -> directory/applet/appletTest.class
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] applying pattern '.*' to uri 'directory/applet/appletTest.class'
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (4) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10' pattern='!^192\\.168\\.1\\.12' => matched
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (2) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] forcing responsecode 403 for /var/www/vhosts/domain.com/httpdocs/proxy/directory
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] add path info postfix: /var/www/vhosts/domain.com/httpdocs/proxy/directory -> /var/www/vhosts/domain.com/httpdocs/proxy/directory/applet/appletTest.class
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] strip per-dir prefix: /var/www/vhosts/domain.com/httpdocs/proxy/directory/applet/appletTest.class -> directory/applet/appletTest.class
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (3) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] applying pattern '.*' to uri 'directory/applet/appletTest.class'
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (4) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] RewriteCond: input='192.168.1.10' pattern='!^192\\.168\\.1\\.12' => matched
192.168.1.10 - - [22/Aug/2013:13:49:37 +0200] [domain.com/sid#1edcb20][rid#215d358/initial] (2) [perdir /var/www/vhosts/domain.com/httpdocs/proxy/] forcing responsecode 403 for /var/www/vhosts/domain.com/httpdocs/proxy/directory


Really I don't understand these two behaviors of the server and the proxy
Today I have executed all the code, tomorrow only part of the code.

Any suggestion?
Thanks.
Regards.
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux