2
Vote

Add ProxyPassReverseCookieDomain to IIRF to fixup URL paths in cookies set across proxies.

description

See http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#ProxyPassReverseCookieDomain
 
Because the path is attached to a cookie, the mitigation I described above - just making sure that IIRF also proxies the script and image requests and so on - will not apply. A cookie with a wrong path won't result in a request through to IIRF, so there's nothing you can configure in IIRF to make things right, when the Cookie path is wrong.
 
There are some ways I can think of to avoid this problem:
 
  1. Don't use cookies with relative paths when proxying requests
     
  2. The server can be smart about setting cookies, examining the Via header, which indicates how the incoming request was proxied. This requires modification of the target server, in your case the /logviewer app.
     
  3. Don't modify the URL path of requests across proxies
     
    Avoidance #3 is probably easiest in your case. Instead of using /test, use /logviewer in the public, exposed URL.
     

NO NO NOProxyPass ^/test/(.*) http://internal.exammple.com/logviewer/$1

 

YES YES YESProxyPass ^/logviewer/(.*) http://internal.exammple.com/logviewer/$1

 
  1. Getting IIRF to do the work
     
    It may be possible to modify IIRF to do this work intelligently - in other words to examine the response that flows back for the presence of a Set-Cookie header. If one is found, IIRF could modify the path of the cookie (if present) to the path used for the public, external request.
     
    Upon quick consideration, this seems like a relatively benign change, and it should be simple to implement. I'll need to think about it further, though, before I am ready to conclusively say it will be easy and benign.
     
    For now you have a way to get things to work without that change.

comments

bobokonijn wrote Nov 18, 2011 at 6:53 AM

Hi Cheeso,

Thank you very much for taking the time to analyze my problem in-depth and for your excellent suggestions!

Let me explain my situation a bit further.

The servers that I want to proxy (about two dozen of them) are all accessible through URL's like "https://someIP/logviewer" and they're installed on various locations. My purpose is to make them accessible from a central website using url's like https://mycompany.com/Location1 etcetera. The need for this arose because some of these Logviewers are behind VPN's and are not accessible from the public internet, but they can all be PINGed from the machine where our central webserver is installed.

The LogViewer web application is a 32-bit ISAPI DLL and was written by myself in Delphi using the Intraweb framework (which works roughly similar to asp.net). Being a DLL, it can directly interface with some other DLL's of ours that generate complex bitmaps from database data. Unfortunately, the Intraweb framework is closed-source so I have only little influence on the html code and the cookies it generates, therefore I can't solve the proxy problem using your proposed methods (1) and (2).
Nor can I solve the problem using method (3) because ALL these servers are called LogViewer and they must be accessible through separate URL's like /Location1, /Location2 etc.

So my only hope is that the proxy server will also fixup URL paths in cookies. IMHO it would make much sense as a feature because many websites use cookies. I suspect that Octagate does this, too, because my application works with that proxy (but Octagate isn't my first choice to use, because it would require a major change to our web server).





Moreover, since all of these

Sign in to add a comment or to set email notifications