Monday, 7 November 2011

Apache HTTPD - settings for use as a pure proxy

When using Apache HTTPD as a pure proxy to an application server, it may be useful to set AllowEncodedSlashes to "On" and set nocanon on the ProxyPass. This has the effect that the URIs are passed to the application server "as is" without Apache doing any security check on them or otherwise attempting to correct them. Naturally this puts the onus on the origin server to be secure.

It may also be useful to set retry=0. By default after a failure to get a response from the origin server HTTPD caches the fact that the origin server is unavailable for a minute. This is a pain when automating deployments. Setting retry=0 makes it genuinely proxy every call down to the origin server regardless.

    AllowEncodedSlashes On
    ProxyPreserveHost On
    ProxyPass / http://localhost:8080/ retry=0 nocanon
    ProxyPassReverse / http://localhost:8080/

Along the same lines, when using Tomcat to serve RESTful requests it may be useful to allow encoded slashes. This is turned off by default because if you have a servlet that serves up files it may allow an attacker to retrieve arbitrary files from your server using ../../ type paths. If you are mapping all URLs to servlet(s) that do not do this then you can re-enable them using the following command line arguments:

or by adding the following to $CATALINA_HOME/conf/


  1. Your detailed blog is very good. Keep doing this work.
    Bomb-mp3 UK proxy

  2. I am hoping the same best work from you in the future as well. In fact your creative writing abilities may inspired others.
    Files Tube UK proxy

  3. You completed certain reliable points there. I did a search on the subject and found nearly all persons will agree with your blog. VPN For UK IP Address

  4. A proxy ought to be fit for sifting these treats. Despite the fact that entire filtration of private data isn't conceivable.
    mexican vpn

  5. Many times, you will find more than one forum or website that will tell you if it's legit or not. Getintopc

  6. A Proxy is a focal machine on the system that enables different machines in that system to utilize a mutual Internet association..

  7. In the event that you continue getting this message and can't associate, at that point it might demonstrate that the Contivity VPN Switch can't speak with the customer since it is behind some sort of NAT (Network Address Translation) gadget can isp see vpn