www-modproxy-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian.Rich...@kmzr.com
Subject Apache 1.3.26 + Header-manipulation patches for Apache mod_proxy
Date Mon, 24 Jun 2002 19:42:02 GMT


I am writing to the mod_proxy list to ask a question.  I am sorry if this
has been brought up before and addressed.  I figure it probably has not
since it has not been available in the Apache distribution since 1.3.19
when I started using it.

What I am referring to is a patch a gentleman made for mod_proxy that
allows header manipulation. Kwin Kramer is his name.

The environment I work in we do not use commercial reverse proxy servers.
We use entirely Apache and mod_securid to shield all of the wimpy IIS
servers half our software REQUIRES to run on to be web enabled.

I helped them web enable several applications over a period of time, 2 of
which were Lotus iNotes for retrieving email and I-Manage, which is a
document manager.

Our users cannot use any web application until AFTER they have
authenticated with their SecurID token.

Problem came in when someone above me says, OK we are moving to Outlook,
No more Lotus Notes..  so after they setup some beta boxes and got OWA
(Outlook Web Access) running they asked me to setup some reverse proxy
rules to pass OWA for clients.

So with the help of another Co-worker we tried to get OWA working with
mod_proxy and Apache.  We could never get it 100%. (We do SSL to the Apache
box, then non-ssl from the reverse proxy to the OWA box internally)

After my co-worker figured out what was going on he stumbled onto the web
site I linked to above. http://allafrica.com/tools/apache/mod_proxy/
There actually was a link if I remember correctly in MS knowledge base on
OWA communication.

There, a guy wrote a very handy patch that after adding one line we got OWA
working 100% in our environment.

The line winds up being:

ProxyRequestHeader set Front-End-Https On

Now you will have to forgive me if there is an easier way to accomplish
this, we scoured the newsgroups and the ONLY other solution we found short
of dropping Apache and using some other product was using a hacked
mod_proxy_add_forward.c. I could not find anyone that actually accomplished
this though.  I found allot of unanswered questions in regards to OWA and
Apache. (1.3.x)

If their is another way to do this please let me know. And if this is even
applicable to 2.x

Now after this last weekend I had to upgrade all our reverse proxy servers
because of the exploit floating around that effected pre 1.3.26 loads.

To my dismay, the patch for 1.3.19 did not apply to 1.3.26.   I was stuck,
if I kept running the older version we were open to attack.. I thought of
trying to match up the diffs on the patch files to figure out exactly what
was going on to see if I could do something myself..

Instead, I emailed Kwin and got a very prompt response.  He came up with
new patched for 1.3.26 within a couple days which was really great!

My question is, is there not some value with his patches he has made?
Enough of a value to be added into the distribution? And does 2.x even need
it? I have yet to look into running 2.x, I first have to find out if it
supports our SecurID module and test it before I even think of that.

I am sure there are applications to come that we will have to rely on this
to get the app to be web enabled and play nice for a client.

It would be really nice if this functionality was built in.  And extra
patches were not necessary.

Now I am not the Apache expert, so I have no idea if what we were trying to
accomplish above could have been pulled off with a bunch of complicated
re-write rules or something else so please don't flame me to death if this
is the case.

Sorry for the long message and thanks for everyone's time that read this.



This electronic mail message and any attached files contain information
intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information that is proprietary, privileged,
confidential and/or exempt from disclosure under applicable law.  If you
are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distribution of this information may be subject to
legal restriction or sanction.  Please notify the sender, by electronic
mail or telephone, of any unintended recipients and delete the original
message without making any copies.


View raw message