Apache-Rewrite - Firewall - Problem
Hi, I'm using an often recommended Apache-Zope rewrite setup to mask the internal folder structure in Zope. The cruxial line in my apache (Debian Etch packaged version 2.2.3) is RewriteRule ^(.*) http://a.b.c.d:9673/VirtualHostBase/http/a.b.c.d:80/myfolder/VirtualHostRoot... [P,L] where a.b.c.d is the visible address of the machine from outisde the firewall, myfolder the folder of my Zope application I want to provide under a.b.c.d:80 and as Debian users might are comfortable with 9673 the Zope port (default for Debian). This setup works fine for the old firewall which is not so strict as the new one, that causes the trouble. The new one exclusively enables port 80 (no 22, 25 etc.). If I try the rewrite rule above I get the following line in error.log: [<date>] [error] (110)Connection timed out: proxy: HTTP: attempt to connect to a.b.c.d:9673 (*) failed access.log says: 194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] "GET / HTTP/1.0" 503 405 For Debugging purpose I also write a debugging log: (the IP-Adress is replaced by a.b.c.d and the visible DNS name by visible.name) 194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] [visible.name/sid#81869c0][rid#81dc4c0/initial] (2) init rewrite engine with requested uri / 194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] [visible.name/sid#81869c0][rid#81dc4c0/initial] (3) applying pattern '^(.*)' to uri '/' 194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] [visible.name/sid#81869c0][rid#81dc4c0/initial] (2) rewrite '/' -> 'http://a.b.c.d:9673/VirtualHostBase/http/a.b.c.d:80/agi/VirtualHostRoot/' 194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] [visible.name/sid#81869c0][rid#81dc4c0/initial] (2) forcing proxy-throughput with http://a.b.c.d:9673/VirtualHostBase/http/a.b.c.d:80/agi/VirtualHostRoot/ 194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] [visible.name/sid#81869c0][rid#81dc4c0/initial] (1) go-ahead with proxy request proxy:http://a.b.c.d:9673/VirtualHostBase/http/a.b.c.d:80/agi/VirtualHostRoot/ [OK] This is exactly the rewrite log I get on the machine that works perfectly behind the old firewall, but the niew one cases the strange error above. When I searched the web with the string in my error.log I stumbled upon the site http://www.dharwadkar.com/weblog/apache_fc6_01 which gives a slight hint, but there is no SELinux on my box at all but there is a hint to the firewall that might cause the problem. I have a vague suspection that this might be very slightly connected with the fact that when I formerly followed the recommendation of http://plone.org/documentation/how-to/plone-with-apache-1.3 to use "localhost" instead of the IP Adress of the server (or the FQDN) I blatantly failed because the localhost directive was interpreted by my browser that tried to access a local server (that did not existed). So I learned by this that these Rewrite directives are not addressed to the webserver to deliver a different page than requested but to tell the browser to ask for a different page on the server. If I think about this I wonder whether this is a reasonable strategy of redirection and because I do not regard this as reasonable I'm wondering whether there is an option I could change this behaviour in a way that the server directly answers with the result that can be obtained at the rewritten location - which would probably solve my problem. If my suspection that the Browser is advised to obtain the http://a.b.c.d:9673/... something address it is obviouse that this must fail because port 9673 is blocked and there would never be a chance to get any page. Kind regards Andreas. -- http://fam-tille.de
Activate your mod_proxy module I have the same problem some days ago with the same trackback and the activation of proxy module solves the problem 2007/3/23, Andreas Tille <tillea@rki.de>:
Hi,
I'm using an often recommended Apache-Zope rewrite setup to mask the internal folder structure in Zope. The cruxial line in my apache (Debian Etch packaged version 2.2.3) is
RewriteRule ^(.*) http://a.b.c.d:9673/VirtualHostBase/http/a.b.c.d:80/myfolder/VirtualHostRoot$1[P,L]
where a.b.c.d is the visible address of the machine from outisde the firewall, myfolder the folder of my Zope application I want to provide under a.b.c.d:80 and as Debian users might are comfortable with 9673 the Zope port (default for Debian).
This setup works fine for the old firewall which is not so strict as the new one, that causes the trouble. The new one exclusively enables port 80 (no 22, 25 etc.).
If I try the rewrite rule above I get the following line in error.log:
[<date>] [error] (110)Connection timed out: proxy: HTTP: attempt to connect to a.b.c.d:9673 (*) failed
access.log says:
194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] "GET / HTTP/1.0" 503 405
For Debugging purpose I also write a debugging log:
(the IP-Adress is replaced by a.b.c.d and the visible DNS name by visible.name)
194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] [ visible.name/sid#81869c0][rid#81dc4c0/initial] (2) init rewrite engine with requested uri / 194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] [ visible.name/sid#81869c0][rid#81dc4c0/initial] (3) applying pattern '^(.*)' to uri '/' 194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] [ visible.name/sid#81869c0][rid#81dc4c0/initial] (2) rewrite '/' -> ' http://a.b.c.d:9673/VirtualHostBase/http/a.b.c.d:80/agi/VirtualHostRoot/' 194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] [ visible.name/sid#81869c0][rid#81dc4c0/initial] (2) forcing proxy-throughput with http://a.b.c.d:9673/VirtualHostBase/http/a.b.c.d:80/agi/VirtualHostRoot/ 194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] [ visible.name/sid#81869c0][rid#81dc4c0/initial] (1) go-ahead with proxy request proxy: http://a.b.c.d:9673/VirtualHostBase/http/a.b.c.d:80/agi/VirtualHostRoot/[OK]
This is exactly the rewrite log I get on the machine that works perfectly behind the old firewall, but the niew one cases the strange error above.
When I searched the web with the string in my error.log I stumbled upon the site
http://www.dharwadkar.com/weblog/apache_fc6_01
which gives a slight hint, but there is no SELinux on my box at all but there is a hint to the firewall that might cause the problem.
I have a vague suspection that this might be very slightly connected with the fact that when I formerly followed the recommendation of
http://plone.org/documentation/how-to/plone-with-apache-1.3
to use "localhost" instead of the IP Adress of the server (or the FQDN) I blatantly failed because the localhost directive was interpreted by my browser that tried to access a local server (that did not existed). So I learned by this that these Rewrite directives are not addressed to the webserver to deliver a different page than requested but to tell the browser to ask for a different page on the server. If I think about this I wonder whether this is a reasonable strategy of redirection and because I do not regard this as reasonable I'm wondering whether there is an option I could change this behaviour in a way that the server directly answers with the result that can be obtained at the rewritten location - which would probably solve my problem. If my suspection that the Browser is advised to obtain the http://a.b.c.d:9673/... something address it is obviouse that this must fail because port 9673 is blocked and there would never be a chance to get any page.
Kind regards
Andreas.
-- http://fam-tille.de _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Mis Cosas http://blogs.sistes.net/Garito
(Fri, Mar 23, 2007 at 03:51:36PM +0100) Andreas Tille wrote/schrieb/egrapse:
I'm using an often recommended Apache-Zope rewrite setup to mask the internal folder structure in Zope. The cruxial line in my apache (Debian Etch packaged version 2.2.3) is
RewriteRule ^(.*) http://a.b.c.d:9673/VirtualHostBase/http/a.b.c.d:80/myfolder/VirtualHostRoot... [P,L]
where a.b.c.d is the visible address of the machine from outisde the firewall, myfolder the folder of my Zope application I want to provide under a.b.c.d:80 and as Debian users might are comfortable with 9673 the Zope port (default for Debian).
Before trying to debug a rewriterule issue, have you tried a rule you got from the witch? http://betabug.ch/zope/witch You will notice that the rule uses 127.0.0.1 - likely your address a.b.c.d is considered to live on an external interface by your firewall. In fact you don't need your FQDN at all in the rewriterule. On a site note: If your system considers "localhost" to be a different machine, then you have a problem anyway, but not necessarily related to this. In such a case you would have to check your resolver setup. Regards, Sascha
participants (3)
-
Andreas Tille -
Garito -
Sascha Welter