Chuck Murcko wrote: > I think reverse proxy is usable all the time - mod_rewrite uses it by > generating an internal request. And you can put rewrite+reverse proxy > rules (possibly using [P] flag) into .htaccess. > > It's also conceptually less confusing to see adjacent default lines in > the config > > ProxyPass off #forward proxy > ReverseProxyPass on #reverse proxy > > Or whatever we call it. The default values are for compatibility with > other modules. I've seen also several instances lately where sites > thought they needed ProxyPass on for reverse proxy _ rewrite but did > not, and had inadvertently been getting exploited as open forward > proxies. The opposite case from the original security implications of > reverse proxy always on. So at the least it's currently confusing, and > could stand to be more clearly and configurably enabled.
The problem seems to be a documentation problem - if people are confused
about how to configure something, then the docs must be fixed to stop
that confusion.
Adding a ReverseProxyPass directive will simply add to that confusion -
two config directives will be needed when previously there were one - so
we are in a worse position than we were before.
In addition, people who blindly upgrade their systems will find their
setups suddenly break - which is a showstopper.
In short, I think warnings need to be added to the documentation rather
than additional directives.
Regards,
Graham
--
-----------------------------------------
[EMAIL PROTECTED] "There's a moon
over Bourbon Street
tonight..."
smime.p7s
Description: S/MIME Cryptographic Signature
