[users@httpd] Re: redirection from within apache....

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Nick Kew wrote:
...

What documentation did you follow in setting it up?


the docs on apache.org


I don't think I've seen any documentation that fails to make it clear
you should turn ProxyRequests Off, for precisely that reason. Are you sure you didn't just provide some classic buggy CGI or PHP spam-nest? 

I no longer have the configuration unfortunately so I would show you
what I had done.  But I believe that proxy requests were turned off but
something caused the acl's limiting the inbound proxy to my machines to
fail.  As a result it would proxy to anything with any port number
including 25.  I even ran two different proxy test against it and they
did not find any problems.

as for the CGI/PHP problems, that machine was only an inbound proxy for
SMTP and http.  I had stripped off all unnecessary items including PHP.

this experience highlights one of the really annoying things about
Apache. It fails and either doesn't tell you or gives you error messages which are mostly useless. I recently spent a fair amount of time tracking down an extra w in a <directory> definition. One would think that this would be fairly easy to report accurately and in a way that makes it easy for the user to comprehend the problem. all I got was "client denied by server configuration" error message. The lesson here should be the user interfaces do not stop at the GUI or command line but continue into the error logs. 

bringing it back to the proxy issue, it took me a fair amount of time to
make the Apache proxy work whereas I made pound work in under an hour
and it fails safe. Apache is a good heavyweight server. A proxy is a dedicated narrow focus task that should be made as easy to do right as possible so that unfortunate problems won't occur. 

this is yet another lesson.  The Apache documentation is filled with
admonishments to add extra things to your configuration to enhance
security.  Why?  Why not failsafe and make the administrator explicitly
enable functionality.
I know I'm being very critical but it's only from scar tissue I've acquired over the years. I know these problems can be fixed because they are well-known as are their solutions. It just takes commitment and funding to make it so. 

---eric


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux