NYCPHP Meetup

NYPHP.org

[nycphp-talk] Apache Mod-Proxy Access Control

Joe Leo joeleo724 at gmail.com
Thu May 29 16:24:38 EDT 2008


Chis, thanks for your reply/comments...

> But wait, you said www was acting as a reverse proxy, so why would
> someone go directly to server1?
>

To answer your question above, typically, users will visit main site which
has webpage links that would take user to inside server via the proxy.
However, that URL is shown/known when user mouse over the links. So, it can
easily be used for future visits to server-x.mainsite.com.... And, I
suspect, web engines will pick those links up as well.

And, even if users that access site via main site they may not have
authenticated before clicking on the link that would take them to the
backend server.

So, you are right, it seems that I would need something like mod_rewrite
and/or the prepend script you mentioned. I've struggled to get my proxy
working and have not yet played around with mod_rewrite. Also, the pre-pend
script you refered to - Can you give me more info on this?

Is there a sample of this script you can share and how it would work? Would
really appreciate any help on this!

Joe

On Thu, May 29, 2008 at 4:08 PM, csnyder <chsnyder at gmail.com> wrote:

> On Thu, May 29, 2008 at 2:03 PM, Joe Leo <joeleo724 at gmail.com> wrote:
>
> > The www.mainsite.com has my drupal users where they can sign-up and
> > authenticate. What I want is: If users enter url server1.mainsite.comthen
> > the proxy would somehow prompt users to first login. But, I'm not sure
> how
> > this can be done/achieved. I would appreciate any comments/suggestions to
> > accomplish this.
> >
>
> It sounds tough, because the browser isn't going to send the
> www.mainsite.com cookie to server1.mainsite.com.
>
> But wait, you said www was acting as a reverse proxy, so why would
> someone go directly to server1?
>
> If all the connections go through www, you can use mod_rewrite to
> check for existence of drupal's session cookie, and redirect to login
> if not found.
>
> If someone knew the setup, they could fake the drupal cookie, so if
> you're trying to protect something valuable using this scheme you may
> need to consider a different mechanism, such as an auto-prepend script
> that checks if the session is valid.
>
>
> --
> Chris Snyder
> http://chxo.com/
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20080529/dd2ca094/attachment.html>


More information about the talk mailing list