With a little side of applesauce...

Tuesday, January 30, 2007

Debian/Apache2 mod_proxy “Forbidden”

The Debian Apache2 mod_proxy is setup to proxy the whole server by default. This being the case, they set a very strict set of rules in the /etc/apache2/mods-enabled/proxy.conf:


ProxyRequests Off


Order deny,allow
Deny from all
#Allow from .your_domain.com

# Enable/disable the handling of HTTP/1.1 “Via:” headers.
# (”Full” adds the server version; “Block” removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block

ProxyVia On

# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)

CacheRoot “/var/cache/apache2/proxy”
CacheSize 5
CacheGcInterval 4
CacheMaxExpire 24
CacheLastModifiedFactor 0.1
CacheDefaultExpire 1
# Again, you probably should change this.
#NoCache a_domain.com another_domain.edu joes.garage_sale.com


Because we run some many virtual hosts, it doesn’t make sense to have this configuration set globally, so I comment these out, and place the appropriate rules per vhost. Here is my /etc/apache2/mods-enabled/proxy.conf:


# ProxyRequests Off

#
# Order deny,allow
# Deny from all
# #Allow from .your_domain.com
#

# Enable/disable the handling of HTTP/1.1 “Via:” headers.
# (”Full” adds the server version; “Block” removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block

# ProxyVia On

# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)

# CacheRoot “/var/cache/apache2/proxy”
# CacheSize 5
# CacheGcInterval 4
# CacheMaxExpire 24
# CacheLastModifiedFactor 0.1
# CacheDefaultExpire 1
# Again, you probably should change this.
#NoCache a_domain.com another_domain.edu joes.garage_sale.com


REMEMBER!! You must set the correct configuration items in your vhosts which support proxying, or else you are opening yourself as an anonymous proxy. Here is an example of how to I have my config setup:


ProxyRequests Off
#

Deny from all

# proxypass rules
ProxyPass / http://localhost:8080/
ProxyPassReverse http://localhost:8080/ /


I just found this little tidbit when double-checking my facts for this entry:

A reverse proxy is activated using the ProxyPass directive or the [P] flag to the RewriteRule directive. It is not necessary to turn ProxyRequests on in order to configure a reverse proxy.”

– http://httpd.apache.org/docs/1.3/mod/mod_proxy.html

And sure enough, the proxypass still works. I don’t know if I still need the LocationMatch with ProxyRequests Off, but it seems to be a safe move, so I will leave it there until I test further.

2 comments:

Dave Shuck said...

You rule! I had just set up Apache--> mod_proxy--> Glassfish application and was getting this error. I was stressing as I am trying to get it all in tact for Dallas TechFest presentation on Friday! Very cool to find a local person with the solution. I owe you a cup of coffee at Jupiter House! :)

~d

Shannon Eric Peevey said...

I'm glad to have helped! I have moved from Denton, but accept drop-shipped coffee from Jupiter :) Take care!