PHWinfo - Afficher un message - Getting Allow from credentials from a header.

16/03/2005, 14h51

Hi,

Please consider ing with this apache / reverse proxy issue.

A company has some servers, serving a production web site and
an administrative interface. Presently, the servers are load
balanced using IPVS, so the requests from browsers are delivered
to apache with the genuine source ip address of the request.

The admin interface - we'll say is at http://website.com/tools/

The admin interface is locked down by both user/password credentials
and also limited to a range of ip addresses using Allow from
directives in httpd.conf, e.g. :

<Location /tools>
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from 10.0.1
Allow from 1.2.3.4
</Location>

The company are now looking to use a reverse proxy, to replace the
IPVS equipment to balance the requests. The reverse proxy sets
an additional header - we'll say that it is called 'xyz' - with the
original ip address of the client.

(The reverse proxies are not running on the same physical hardware
as the web servers)

There are places that this header will be useful - e.g. the company
can still produce a combined log by replacing '%h' with '%{xyz}' in
a LogFormat directive - but the company want to use the details in
this 'xyz' header to authenticate the location of users in Allow
from config options.

i.e. we want the same list of IP addresses in the <Location> tags,
but we want apache to look at a header for the IP info, not the
source requests (which will always be the reverse proxy.)

Any ideas on how this can be done ?

Many thanks for any you can offer,
Andy

--
http://fotoserve.com/ - Prints, Slides, Posters, Mugs, T-shirts,,
Calendars, Jigsaws, Tableware, Caricatures, Greetings cards, Picture
bags, Photo Album and Book covers, Canvas Prints, tissues and more
..... from your own digital images.

16/03/2005, 14h51	#1
Andy Davidson Messages: n/a Hébergeur:	Getting Allow from credentials from a header. Hi, Please consider ing with this apache / reverse proxy issue. A company has some servers, serving a production web site and an administrative interface. Presently, the servers are load balanced using IPVS, so the requests from browsers are delivered to apache with the genuine source ip address of the request. The admin interface - we'll say is at http://website.com/tools/ The admin interface is locked down by both user/password credentials and also limited to a range of ip addresses using Allow from directives in httpd.conf, e.g. : <Location /tools> Order deny,allow Deny from all Allow from 127.0.0.1 Allow from 10.0.1 Allow from 1.2.3.4 </Location> The company are now looking to use a reverse proxy, to replace the IPVS equipment to balance the requests. The reverse proxy sets an additional header - we'll say that it is called 'xyz' - with the original ip address of the client. (The reverse proxies are not running on the same physical hardware as the web servers) There are places that this header will be useful - e.g. the company can still produce a combined log by replacing '%h' with '%{xyz}' in a LogFormat directive - but the company want to use the details in this 'xyz' header to authenticate the location of users in Allow from config options. i.e. we want the same list of IP addresses in the <Location> tags, but we want apache to look at a header for the IP info, not the source requests (which will always be the reverse proxy.) Any ideas on how this can be done ? Many thanks for any you can offer, Andy -- http://fotoserve.com/ - Prints, Slides, Posters, Mugs, T-shirts,, Calendars, Jigsaws, Tableware, Caricatures, Greetings cards, Picture bags, Photo Album and Book covers, Canvas Prints, tissues and more ..... from your own digital images.