I have 2 servers. One Reverse proxy on the web and one on a private link serving WebDAV.
Booth servers are apache httpd v2.
On the proxy I have:
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /repo/ http : //share.local/repo/
ProxyPassReverse /repo/ http : //share.local/repo/
On the dav server I have:
<Location /repo/>
DAV on
Order allow,deny
allow from all
</Location>
The reverse proxy is accessed via https and the private server is accessed via http.
And there lies the problem!
Read only commands work fine. But when I want to move something I get 502 Bad gateway.
The reason for this is the reverse proxy not rewriting the url's inside the extended dav request.
The source URL is inside the header and is correctly transformed to http://share.local/file1.
The destination URL is inside some xml fragment I do not understand and stays https://example.com/file1 :(
Is there a standard way to let the apache correctly transform the request?
Thanks for your effort.
Hmm, found the answer. Always the same :)
I added the next line to my 'private server' config file:
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
RequestHeader edit Destination ^https http early
(e.g. of config location '/etc/httpd/conf.d/DefaultRequestHeader.conf')
and it worked. I don't know if this has drawbacks. I'll see.
The destination URL shouldn't be in XML but in the "Destination" header, as you already noticed. Maybe you were looking at the error response...
In general, this problem would go away when clients and servers implement WebDAV level 3 (as defined in RFC4918), which allows the Destination header to be just a relative path.
Related
I am using alfresco community 5.0.d and its installed on AWS. I am able to use it via http but I am not able to use it via https.
I have added security listener to https in AWS and also modified alfresco-global.properties as below.
alfresco.context=alfresco
alfresco.host=127.0.0.1
alfresco.port=443
alfresco.protocol=https
share.context=share
share.host=127.0.0.1
share.port=443
share.protocol=https
Still no solution.
Could you let me know the steps or blog for the process.
Thanks.
Personally, I have not set this up on AWS myself, so I don't know how that will effect things and what AWS services you can use to help with some of this, but look at the docs around setting up Alfresco with SSL for test or prod depending on what you want. You need to update your tomcat config or put something in front of it.
http://docs.alfresco.com/5.0/tasks/configure-ssl-test.html
http://docs.alfresco.com/5.0/tasks/configure-ssl-prod.html
Also, if you're going to hit this from the internet (which I assume you are), you should change things from localhost to an IP or hostname. If you're doing SSL that really works, you'll want to use a real certificate and not just a self cert. In that case, you're going to need to make sure your hostname is registered and that the certificate is created against it.
As I said in my comment, this is not what has been asked, but as requested I am explaining my configuration.
I am warning everyone that I am not a network administrator, and even if I am using Alfresco on production use (with back up etc...) the website I am running is not under heavy load, or mission critical, and no-body is interested in hacking my website. So the scenario and configuration below may be unsuitable for you.
Scenario:
Host: one EC2 instance (Linux)
http blocked by EC2 rule, https only allowed
Apache listening to https
Alfresco 4.2 default installation, listening http
And the configuration for my domain:
<VirtualHost *:443>
ServerName mydomain.com
ServerAlias www.mydomain.com
DocumentRoot /alldomain/mydomain/https
ErrorLog path.to.log
SSLEngine on
SSLCertificateFile /path.to.crts/mydomain.crt
SSLCertificateKeyFile /path.to.keys/mydomain.key
SSLCertificateChainFile /path.to.pems/sub.class1.server.sha2.ca.pem
ProxyPass /share ajp://127.0.0.1:8009/share
ProxyPassReverse /share ajp://127.0.0.1:8009/share
ProxyPass /alfresco ajp://127.0.0.1:8009/alfresco
ProxyPassReverse /alfresco ajp://127.0.0.1:8009/alfresco
</VirtualHost>
As I also said I have many advantages:
Easier to renew and change certificates
I can redirect users when doing Alfresco maintenance
I can tune http cache to reduce load on Alfresco
CentOS 7 running Apache 2.4.6 is acting as the central front facing web server to the Internet. As such it has a few reverse proxy connections setup. They all point to other LAMPs and work great. However I have one IIS server running one of them .Net/ASP websites that just doesn't want to load properly. Using the config below on the Apache, the IIS website loads all of the html & css stuff.
<VirtualHost *:80>
SeverName example.com
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /extDirectory/ http://internalserver/internalDirectory/
<Location /extDirectory/ >
ProxyPassReverse http://internalserver/internalDirectory/
Order allow,deny
Allow from all
</Location>
</VirtualHost>
However it looks like there is a sessionID mishap per this screenshot while accessing site externally:
Compared to the accessing same site internally:
Apache log and what I can gather from IIS's log aren't showing any errors. The only error I am getting is when using IE's buil;t in developer tools and am seeing the "200 Authorization not found" , even though I am logged in successfully.
I wasn't able to fix this using Apache as the ASP.Net developer came through with a fix to their software. This is their reply and solution:
Enterprise creates authorization tokens that are used to authenticate each request coming to the server. Every AJAX request must have a valid authentication token, or it will be rejected. Part of the token is the end user's IP address. If the IP address in the AJAX request is different than the original login request, then the token validation will fail and the AJAX request will be rejected. Enterprise v6.5.2 determines the end user's IP address by looking for three specific HTTP headers in this order: HTTP_X_CLUSTER_CLIENT_IP, HTTP_X_FORWARDED_FOR, REMOTE_ADDR. We think that the proxy server may be sending a different IP address for the AJAX request, which would then cause the token validation to fail and the AJAX request to be rejected.
Open Enterprise's web.config and near the top ADD this line right underneath the element:
<add key="USER_HOST_ADDRESS" value="127.0.0.1" />
Save and close web.config, then restart IIS.
That is it. Turned out to be an ASP.NET issue rather than an Apache.
Follow up question of How to exploit HTTP header XSS vulnerability?
Let's say that a page is just printing the value of the HTTP 'Host' header with no escaping. So the page is vulnerable to an XSS attack, i.e. an attacker can craft a GET request with a 'Host' header containing something like alert('xss');.
But how can you actually use this to attack a target? How can the attacker make the target issue that specific request with that specific header?
The http Host header is basically use as a string to figure out which of (potentially many) named-based hosts in the server configuration should be used to serve up the request.
Let's say you forged up an HTTP request and got this header sent over:
Host: <script>alert('foo');</script>.example.com
The ONLY way this could get through to the PHP script you want to attack is if the webmaster configured the server and site definition to allow that explicit hostname, or has wildcard naming in place, e.g.
<VirtualHost ...
ServerName www.example.com
ServerAlias *.example.com
</VirtualHost>
Since the wildcard allows ANYTHING before .example.com, your JS-hostname would get through.
But a vhost configured like this:
<Virtualhost ...>
Servername www.example.com
ServerAlias web.example.com
</Virtualhost
would not be vulnerable, because the Host name you've provided is not matched by ANY of the configured hostnames. The request may be handled by some other catch-all vhost, but since your vulnerable script doesn't exist on that site, that's useless to you.
I'm trying to get the following done:
A HTTP request comes into an address subdomain.domain.com to a public ip on a machine running a proxy (maybe apache? Anything better?)
Based on the subdomain, I'd like the request to be redirected to an internal machine on a private ip, and specific port. The response for that request will come from that internal machine.
What are my options? Any general guidelines out there for achieving this? Whats a good proxy implementation choice? Will also need to dynamically add subdomains over time, which redirect to specific internal ips/ports.
How do ssl certificates work in a setup with subdomains? Is a separate certificate required for every subdomain?
The setup isn't too hard. You just make a virtual host for each subdomain and configure the vhosts as proxies. The approach is the same regardless of which proxy software you choose. I recommend you to use Nginx as an reverse proxy since the configuration is easier and the performance is much better than Apache. If you still want to use Apache, make sure you do not run PHP on the proxy machine and use mpm_worker instead of mpm_prefork.
You can make a script which adds new subdomains to the configuration file. It shouldn't be too hard since they will look almost the same, except for the path to the SSL certificate and the IP of the backbone server.
For SSL you can use a wildcard certificate which will cover the entire domain, including subdomains. This is not supported on all platforms, but the support have grown in the last years so it should be pretty safe.
Otherwise, without a wildcard certificate, you will need a certificate and a separate IP address per subdomain (since the SSL connection is set up before the domain name is known, you will need to differentiate different certificates by different IPs).
Apache is perfectly reasonable for this problem. You can do virtual hosts which use mod_proxy:
<VirtualHost *:80>
ServerAdmin xxx#yyy.com
ServerName foo.yyy.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyErrorOverride On
ProxyPass / http://192.168.1.1/
ProxyPassReverse / http://192.168.1.1/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
If you were looking to host hundreds or thousands of sub-domains you could actually do this with mod_rewrite instead, with a trick involving local name lookups that allowed you to proxy bar.yyy.com to something like local.bar.yyy.com. Using mod_rewrite for mass virtual hosting is mentioned in the apache docs, using it to proxy instead of just rewrite is relatively straightforward. Doing it that way has the advantage that new sub domains can be added purely using DNS though.
In terms of SSL if you are just using *.yyy.com as the subdomains you can use a wildcard certificate (I neither recommend nor disapprove of thwate, they just had a reasonable description of it). In the general case though hosting multiple SSL sites behind a single public IP address is a bit more tricky.
I'm currently working on setting up a reverse proxy for testing a flex-based web application.
The current setup is using mod_proxy (with mod_proxy_http) to reverse proxy to another host. Everything seems to work except for requests made from the flash player, which result in an error message that says "Security error accessing url".
I have a crossdomain.xml set up on the back end system that simply allows everything, using "<allow-access-from domain="*"/>".
The crossdomain.xml is available off of / from both the backend and proxy server.
The odd part is that when I monitor the connection traffic with firebug, the browser is bypassing the proxy and going straight to the backend server to get the crossdomain.xml file.
Does anyone have any suggestions on how I can get the flex behave properly in an environment like this?
I have included my proxy configuration below.
<IfModule mod_proxy.c>
ProxyRequests Off
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
</Proxy>
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
ProxyVia On
<Location "/">
ProxyPass http://backend:9080/
ProxyPassReverse http://backend:9080/
</Location>
</IfModule>
The problem was actually the result of the endpoints written in the WSDLs that were generated by the web application. They contained the URL of the backend server. I had to turn on the "ProxyPreserveHost" directive to get it to use the proxy's url for the endpoints. That fixed the problem.
The flash player needs to be given the URL to the reverse proxy server, not the flex server.