Re: Re: Problem with ProxyPass

[Tom Evans <tevans.uk@xxxxxxxxxxxxxx>]

On Thu, Oct 7, 2010 at 1:27 PM, Michelle Konzack
<linux4michelle@xxxxxxxxxxxxxxx> wrote:
> Hello Tom Evans,
>
> Am 2010-10-07 10:55:59, hacktest Du folgendes herunter:
>> On Thu, Oct 7, 2010 at 6:51 AM, Michelle Konzack
>> <linux4michelle@xxxxxxxxxxxxxxx> wrote:
>> > ----[ '/etc/apache2/conf.d/apache_proxy' ]------------------------------
>> > NameVirtualHost     192.168.0.69:80
>> >
>> > <VirtualHost 192.168.0.69:80>
>> >  ÂServerName     Âwww.tdipmedia.net
>> >  ÂProxyPass      / http://192.168.0.208:80/
>> >  ÂProxyPassReverse  Â/ http://192.168.0.208:80/
>> > Â Â<Directory proxy:http://192.168.0.208:80/*>
>> >    ÂOrder      deny,allow
>> >    ÂAllow      from all
>> > Â Â</Directory>
>> > </VirtualHost>
>> > ------------------------------------------------------------------------
>> Your config doesn't look right to me:
>
> Hmmm, since my three pootle instances where confliction with ÂApache, ÂI
> have setup last year the following config which is working:
>
> ----[ '/VServer_10/APACHE_available/pootle.tdwave.net' ]----------------
> <VirtualHost 192.168.0.69:80>
>  ÂServerAdmin     linux4michelle@xxxxxxxxxxxxxxx
>  ÂServerName     Âpootle.tdwave.net
>
>  ÂProxyPass     Â/images !
>  ÂProxyPass     Â/js !
>  ÂProxyPass     Â/pootle.css !
>  ÂProxyPass     Â/favicon.ico !
>  ÂProxyPass     Â/ http://localhost:8888/
>  ÂProxyPassReverse  / http://localhost:8888/
> Â Â<Directory proxy:http://localhost:8888/*>
>    ÂOrder     Âdeny,allow
>    ÂAllow     Âfrom all
> Â Â</Directory>
>
>  ÂDocumentRoot    Â/usr/share/pootle/html/
> Â Â<Directory /usr/share/pootle/html/>
>    ÂOrder      deny,allow
>    ÂAllow      from all
> Â Â</Directory>
>
> Â Â<Directory />
>    ÂOptions     FollowSymLinks Indexes
>    ÂAllowOverride  None
>    ÂOrder      deny,allow
>    ÂAllow      from all
> Â Â</Directory>
>
> Â Â# debug, info, notice, warn, error, crit, alert, emerg.
>  ÂLogLevel      Âwarn
>  ÂErrorLog      Â/VServer_10/CONFIG_pootle.tdwave.net/log/apache/error.log
>
>  ÂLogFormat      "%{[%Y-%m-%d %H:%M:%S %z]}t %h [%V] %l %u \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost
>  ÂCustomLog      /VServer_10/CONFIG_pootle.tdwave.net/log/apache/access.log vhost
>
>  ÂServerSignature   On
> </VirtualHost>
> ------------------------------------------------------------------------
>
> and now modified it. Âthe only difference is, that the newServer is ÂNOT
> on <localhost> but on IP <192.168.0.208>
>
>>   NameVirtualHost     192.168.0.69:80
>>
>> This says 'When a request comes in on the socket listening on IP
>> 192.168.0.69, port 80, use the Host header from the request to infer
>> the virtualhost to use'.
>
> Right
>
>> <VirtualHost 192.168.0.69:80>
>>  ÂServerName     Âwww.tdipmedia.net
>>
>> </VirtualHost>
>>
>> This says: 'When a request comes in on 192.168.0.69:80, with Host
>> header 'www.tdipmedia.net', use this virtualhost to serve the request'
>
> Right too.
>
>>  ÂProxyPass      / http://192.168.0.208:80/
>>  ÂProxyPassReverse  Â/ http://192.168.0.208:80/
>>
>> This says: 'Proxy / to the website on http://192.168.0.208:80/'
>
> Right too.
>
>> Â Â<Directory proxy:http://192.168.0.208:80/*>
>>    ÂOrder      deny,allow
>>    ÂAllow      from all
>> Â Â</Directory>
>>
>> This is nonsense. A <Directory> refers to a disk location, nothing
>> else. If you wish to restrict who can access a reverse proxy, use a
>> <Proxy> directive or a <Location> directive.
>
> Hmmm...
>
>> Well, you haven't specified anything in your config that would result
>> in a redirect, you have configured a proxy. Apart from that...
>>
>> So there are a couple of things you can check.
>>
>> 1) When you connect to the webserver, are you connecting to 192.168.0.69:80 ?
>
> Yes, and I get:
>
> ----[ command 'wget -S -O /dev/null http://www.tdipmedia.net/' ]--------
>
> --2010-10-07 14:26:26-- Âhttp://www.tdipmedia.net/
> Resolving www.tdipmedia.net... 88.168.69.36
> Connecting to www.tdipmedia.net|88.168.69.36|:80... connected.
> HTTP request sent, awaiting response...
> ÂHTTP/1.1 403 Forbidden
> ÂDate: Thu, 07 Oct 2010 12:26:26 GMT
> ÂContent-Length: 390
> ÂKeep-Alive: timeout=15, max=100
> ÂConnection: Keep-Alive
> ÂContent-Type: text/html; charset=iso-8859-1
> 2010-10-07 14:26:26 ERROR 403: Forbidden.
>
> ------------------------------------------------------------------------
>
> <88.168.69.36> is my fixed PUBLIC IP address Âand Âall Â:80 Âtraffic Âis
> redirected to my DMZ on <192.168.0.69> and some of the servers should be
> proxyied to Servers behind it like the <192.168.0.208>.
>
>> 2) What Host header are you sending to the server? Typically a browser
>> will send the host portion of the URL you type in the address bar -
>> does that match 'www.tdipmedia.net'?
>> 3) Where are your logs? What 'does not work' - explain what you've
>> tried, what the server does when you try that, and what error/info
>> messages are printed in the access and error logs.
>
> [Thu Oct 07 14:16:45 2010] [error] [client 192.168.0.65] client denied by server configuration: proxy:http://192.168.0.208:80/
>
> Thanks, Greetings and nice Day/Evening
> Â ÂMichelle Konzack
>
> --

Can you spot the difference, or shall I point it out? :)

In your working vhost, you have specified a documentroot, and have
granted access to it. In your non working vhost, you haven't done
either, and your <Directory> block doesn't ever get applied, thus
requests are denied.

Either replace your <Directory> block with an appropriate <Location>
block, or give your vhost an empty document root, and change your
Directory block to point at that (/var/empty is where I usually use).

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx