Monday, 7 November 2011

Apache HTTPD - settings for use as a pure proxy

When using Apache HTTPD as a pure proxy to an application server, it may be useful to set AllowEncodedSlashes to "On" and set nocanon on the ProxyPass. This has the effect that the URIs are passed to the application server "as is" without Apache doing any security check on them or otherwise attempting to correct them. Naturally this puts the onus on the origin server to be secure.

It may also be useful to set retry=0. By default after a failure to get a response from the origin server HTTPD caches the fact that the origin server is unavailable for a minute. This is a pain when automating deployments. Setting retry=0 makes it genuinely proxy every call down to the origin server regardless.

    AllowEncodedSlashes On
    ProxyPreserveHost On
    ProxyPass / http://localhost:8080/ retry=0 nocanon
    ProxyPassReverse / http://localhost:8080/

Along the same lines, when using Tomcat to serve RESTful requests it may be useful to allow encoded slashes. This is turned off by default because if you have a servlet that serves up files it may allow an attacker to retrieve arbitrary files from your server using ../../ type paths. If you are mapping all URLs to servlet(s) that do not do this then you can re-enable them using the following command line arguments:

-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true
or by adding the following to $CATALINA_HOME/conf/catalina.properties:
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true

5 comments:

  1. Your detailed blog is very good. Keep doing this work.
    Bomb-mp3 UK proxy

    ReplyDelete
  2. I am hoping the same best work from you in the future as well. In fact your creative writing abilities may inspired others.
    Files Tube UK proxy

    ReplyDelete
  3. You completed certain reliable points there. I did a search on the subject and found nearly all persons will agree with your blog. VPN For UK IP Address

    ReplyDelete
  4. A proxy ought to be fit for sifting these treats. Despite the fact that entire filtration of private data isn't conceivable.
    mexican vpn

    ReplyDelete
  5. Many times, you will find more than one forum or website that will tell you if it's legit or not. Getintopc

    ReplyDelete