I then undertook to examine all of SUSE's LINUX Pro 9.2's 28 Apache .conf files. I found that ProxyRequests is by default turned off, turning it On it works. Simple. Off is SUSE's default but I do not know if that is the Apache distribution default. While exploring the Rewriting, and now Proxy, issue I came across a couple of books that covered Apache security. One issue that all discussed is preventing Apache's proxy from being used as an open relay.
Open relay proxying can be prevented of course by turning ProxyRequests Off but for proxying Zope's URL it has to be turned On, however other security measures are possible. One way is use a <Proxy wildcard-url> directive to place access restrictions like this
<Proxy *> Order Deny,Allow Deny from all Allow from xxx.xxx.xxx <---Define your local network or as you please. </Proxy>Add some firewall configuration and possibly using Nick Kew's mod's, see below, and you will have a number of security and access options.
Back to the issue at hand. Apache's mod_rewrite module does a rewrite and then puts that through mod_proxy. The RewriteLog and RewriteLogLevel commands allow observation of mod_rewrite's processing results. When finished the URL needed to look like this: proxy:http://xxx.xxx.xxx.xxx:8080/wwservice/ which proceeds in this case to Zope's port.
SUSE's YaST configuration utility, now GPL'ed, can be somewhat awkward for Apache configuration and testing. It is possible to directly access its programs with the line yast <program>. That should reduce the change, run, test, & read logs cycle times with the addition of some very simple scripts. The configuration files are held in /etc/apache2 with Apache information in /usr/share/doc/packages/apache2. Logging files are kept in /var/log/apache2. SUSE's httpd.conf file suggests the creation of httpd.conf.local which is included at the end of the standard .conf file. That file should outlast any system upgrades. I placed the needed ProxyRequests and <Proxy ...> directive and commands in this local file. An alternative to the local file is to do all Apache configuration in the traditional manner using your favorite editor.
As a last comment I will have to spend the time to obtain the documentation for each of the modules in the configuration to see how they will affect interaction with Apache and Zope. Thank you for all your help.
REFERENCES ONLINE: mod_proxy ---> http://httpd.apache.org/docs-2.0/mod/mod_proxy.html Nick Kew -----> http://apache.webthing.com Apache Week --> http://www.apacheweek.com BOOKS:Apache:The Definitive Guide, Ben & Pete Laurie; Very good but not as complete as I hoped
Pro Apache, Peter Wainwrite; A wealth of practical examples and insights Hardening Apache, Tony Mobily; Just that, security issues
On Sat, 26 Mar 2005 23:46:10 -0500, John S. Wolter <johnswolter@xxxxxxxxxxxxxxx> wrote:I may have a subtle Apache(2.0.5) Rewrite error I can't backtrack. I'm not sure I'm getting out of the Apache environment. I'm using the Apache Rewrite inside a VirtualHost> to a Zope.org content management system folder /wwservice declared as / at the same IP but port 8080. It works like most Rewrites directing a URL to another. I'm using a technique documented in http://www.zope.org/Members/lams/HowTo.2004-05-17.0444, "Installing and configuring Zope 2.7 with VHM, apache 2 and rewrite rules". I'm getting a Forbidden 403, "You don't have permission to access / on this server", message after the Rewrite activity. I look in the Rewrite log and it is rewriting for IP:8080/wwservice. Where is it being sent? LINUX filesystem? Zope? I don't think it is getting to Zope as I can see the Rewrite log entries action but nothing added to Zope's access Z2.log. No action there like it never arrived at IP:8080.It might help to provide more complete excerpts from the error_log and RewriteLog. Joshua.
-- ------------ Wolter Works - Always Innovating ------------- - Industry and Commerce Internet Invention & Innovation - Internet Marketing Product Concepts & Implementation mailto:johnswolter@xxxxxxxxxxxxxxx John Wolter, President 1531 Jones Drive Ann Arbor, MI 48105-1871 USA 1-734-665-1263 Copyright 2004 John S. WolterNeither this information block, the typed name of the sender,
nor anything else in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|