RE: [users@httpd] Reverse proxing through apache where backend server users cookie authentication

Peter.Link@xxxxxxxxxxxxxxx · Tue, 19 Jul 2005 12:58:46 -0500

Hello:

I've been following this thread with great interest. A couple of months
ago I was experiencing the same - I believe - problem. It involved the
pubcookie (www.pubcookie.org) WebISO single sign-on software, which uses
session cookies for authentication with a login server. It is my experience
that they (the cookies) did indeed get lost between the backend server
and the browser. 
My configuration has Zope running behind Apache, using
mod_rewrite to reverse proxy. I put enough print debug statements into
the code (both pubcookie and Apache) to verify that the cookies were being
created, but they never made it back tothe client. A much more clever programmer
has created a solution, a patch

to proxy_util.c.

This patch was developed by Brett Beaumont, and can be found here:

http://www.issociate.de/board/post/102303/mod_proxy_and_authentication_cookies.html

Here's more evidence of the same problem:
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.pubcookie-users&msg=1098

(FWIW, it's possible that this mail client will mangle the underscore character
to "=5f",
such that mod(underscore)proxy... looks like mod=5Fproxy...)
This patch would seemingly need to be incorporated
by the Apache development team, and that is apparently what Brett wanted
to do, but obviously it didn't get there. Maybe this forum will help in
that effort.

I have tried to contact Brett, and the pubcookie development team, for
recommendations for further action, but have not received a reply.

I hope this helps. If I am in error, any clarification would be greatly
appreciated.

Regards,

Peter Link

 There is no reason that your cookie should be
lost on it's way between the browser and the backend server. You do not
need to do anything in particular to have the cookie forwarded to the application
even when using rewrite rules for reverse proxying. Cookies are end-to-end
headers and are not modified by Apache unless you do something peculiar
in your configuration.

If the cookies are not included in requests from the browser, chances are
that the browser does not send them. That can happen for several reasons:

1. The cookie domain does not match the domain of your site.

2. The cookie path does not match the path of the request.

3. The backend server does not set any cookies.

4. The secure cookie flag is set and the connection is not HTTPS.

You can check that by sniffing the HTTP exchanges between reverse proxy
and backend server, or by using a browser tool like HTTPWatch.

-ascs

-----Original Message-----

From: Ranjan, Rajiv [mailto:Rajiv.Ranjan@xxxxxxxxxxxx] 

Sent: Monday, July 18, 2005 1:50 PM

To: users@xxxxxxxxxxxxxxxx

Subject: RE: [users@httpd] Reverse proxing through apache where backend
server users cookie authentication

Hi Boyle,

I added CO flag to my rewrite rule and checked in the browser to see if
the cookies were created. They were not.

I am sending you the conf snippet I am using. Can you please tell where
am I going wrong in it?

<VirtualHost <apache server ip:port>>

ServerName <apache server ip>

ProxyVia on

RewriteEngine on

RewriteLog logs/rajiv_rewrite.log

RewriteLogLevel 9

Redirect / http://<apache server ip:port >/wps/portal

RewriteRule ^/wps(.*)            

                 http://<my
backend server ip and port>%{REQUEST_URI}

/http/<apache server ip:port>/wps/portal/$1      
           [P,CO=JSESSIONID:%{HTTP_COOKIE}:<backend
server domain, eg -              

   .dev01.tesco.org>,CO=LtpaToken:%{HTTP_COOKIE}:.dev01.tesco.org]

</VirtualHost>

_Rajiv

-----Original Message-----

From: Boyle Owen [mailto:Owen.Boyle@xxxxxxx]

Sent: Monday, July 18, 2005 4:25 PM

To: users@xxxxxxxxxxxxxxxx

Subject: RE: [users@httpd] Reverse proxing through apache where backend
server users cookie authentication

Plain text please...

The cookie is probably in the response so gets to the browser, but then
does not get back to teh server via the RewriteRule.

I think you might have to copy the cookie explicitly. Check http://httpd.apache.org/docs-2.0/mod/mod_rewrite.html
and look for "cookie" for details. Something like:

[CO=name_of_cookie:%{HTTP_COOKIE}:your_domain]

Rgds,

Owen Boyle

Disclaimer: Any disclaimer attached to this message may be ignored. 

Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen
Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is
of a private and personal nature. It is not related to the exchange or
business activities of the SWX Group. Le présent e-mail est un message
privé et personnel, sans rapport avec l'activité boursière du Groupe SWX.

-----Original Message-----

From: Ranjan, Rajiv [mailto:Rajiv.Ranjan@xxxxxxxxxxxx]

Sent: Montag, 18. Juli 2005 11:54

To: users@xxxxxxxxxxxxxxxx

Subject: [users@httpd] Reverse proxing through apache where backend server
users cookie authentication

Hi Guys,

I am trying to use apache as my reverse proxy for my backend server which
uses Cookie based authentication.

I am using mod_rewrite for the proxing part and am able to come till the
login page.

But am unable to login to the system. 

I suspect that it has something to do with the cookies not being reverse
proxied or something.

I am using Apache 2..0.54 on a windows XP system.

Can anyone please tell me what probably could be the issue with my configuration?

Regards,

Rajiv.

---------------------------------------------------------------------

The official User-To-User support forum of the Apache HTTP Server Project.

See <URL:http://httpd.apache.org/userslist.html> for more info.

To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx

   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx

For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx