httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric S. Johansson" <...@harvee.org>
Subject [users@httpd] Re: redirection from within apache....
Date Sat, 07 May 2005 15:00:35 GMT
Nick Kew wrote:
...
> What documentation did you follow in setting it up?

the docs on apache.org

> I don't think I've seen any documentation that fails to make it clear
>  you should turn ProxyRequests Off, for precisely that reason.  Are 
> you sure you didn't just provide some classic buggy CGI or PHP 
> spam-nest?

I no longer have the configuration unfortunately so I would show you
what I had done.  But I believe that proxy requests were turned off but
something caused the acl's limiting the inbound proxy to my machines to
fail.  As a result it would proxy to anything with any port number
including 25.  I even ran two different proxy test against it and they
did not find any problems.

as for the CGI/PHP problems, that machine was only an inbound proxy for
SMTP and http.  I had stripped off all unnecessary items including PHP.

this experience highlights one of the really annoying things about
Apache.  It fails and either doesn't tell you or gives you error 
messages which are mostly useless.  I recently spent a fair amount of 
time tracking down an extra w in a <directory> definition.  One would 
think that this would be fairly easy to report accurately and in a way 
that makes it easy for the user to comprehend the problem.  all I got 
was "client denied by server configuration" error message.  The lesson 
here should be the user interfaces do not stop at the GUI or command 
line but continue into the error logs.

bringing it back to the proxy issue, it took me a fair amount of time to
make the Apache proxy work whereas I made pound work in under an hour
and it fails safe.  Apache is a good heavyweight server.  A proxy is a 
dedicated narrow focus task that should be made as easy to do right as 
possible so that unfortunate problems won't occur.

this is yet another lesson.  The Apache documentation is filled with
admonishments to add extra things to your configuration to enhance
security.  Why?  Why not failsafe and make the administrator explicitly
enable functionality.

I know I'm being very critical but it's only from scar tissue I've 
acquired over the years.  I know these problems can be fixed because 
they are well-known as are their solutions.  It just takes commitment 
and funding to make it so.

---eric


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message