subject:"Re\: Rewriting incoming \& outgoing headers"

Re: Rewriting incoming & outgoing headers

2002-07-21 Thread josv

And thus it came to pass that Thomas Eibner wrote:
(on Fri, Jul 19, 2002 at 01:50:47PM +0200 to be exact)

> On Fri, Jul 19, 2002 at 07:56:58AM +0200, [EMAIL PROTECTED] wrote:
> > Hi all,
> > 
> > First of all, here is the Required Disclaimer: "Hi everybody, I am 
> > insane and new to the list. I am also emotionally very vulnerable and 
> > can not handle rejection very well..." :-)
> > 
> > Ok, now this is out of the way, I would greatly value your thoughts and 
> > opinions about the following:
> > 
> > Due to an "interesting" (which in this case is political correctese
> > for "stupid") networking situation at a customer I am experiencing
> > various problems with incoming and outgoing HTTP headers. There are so
> > many forward and reverse proxies all over the place that all sorts
> > of stuff is going wrong.
> > 
> > Therefore, I am in dire need of an HTTP header rewriting capability
> > that can add, delete *and* rewrite HTTP headers just after coming into
> > the server and just before going out to the browser.
> 
> for 1.3 at least:
> 
> 1) post read request phase
> 2) fixup phase
> 
> And why can't you do that with a simple custom written module?
> 
> -- 
>   Thomas Eibner  DnsZone 

1) is certainly true, but I wonder whether 2) is true...

If I look at the Apache 1.3 source code, it seems to me that it is the
responsibility of the handler routine that generates the content to
add/change any required output headers and then start generating the
content. I took the following from mod_example:

  Since content handlers are dumping data directly into the connexion
  (using the r*() routines, such as rputs() and rprintf()) without
  intervention by other parts of the server, they need to make
  sure any accumulated HTTP headers are sent first.  This is done by
  calling send_http_header().  Otherwise, no header will be sent at all,
  and the output sent to the client will actually be HTTP-uncompliant.

And this is backup up by the code. The "send_http_header" routine in 1.3
has no further hooks to do any rewriting on anything that has been
generated between the call to the handler and the send_http_header()...

I am still looking in the Apache 2.x source trees to see if there's
anything there that can help us

++Jos.nl

-- 
"Freedom" is just another word for "nothing left to lose"...

Re: Rewriting incoming & outgoing headers

2002-07-19 Thread Thomas Eibner


On Fri, Jul 19, 2002 at 07:56:58AM +0200, [EMAIL PROTECTED] wrote:
> Hi all,
> 
> First of all, here is the Required Disclaimer: "Hi everybody, I am 
> insane and new to the list. I am also emotionally very vulnerable and 
> can not handle rejection very well..." :-)
> 
> Ok, now this is out of the way, I would greatly value your thoughts and 
> opinions about the following:
> 
> Due to an "interesting" (which in this case is political correctese
> for "stupid") networking situation at a customer I am experiencing
> various problems with incoming and outgoing HTTP headers. There are so
> many forward and reverse proxies all over the place that all sorts
> of stuff is going wrong.
> 
> Therefore, I am in dire need of an HTTP header rewriting capability
> that can add, delete *and* rewrite HTTP headers just after coming into
> the server and just before going out to the browser.

for 1.3 at least:

1) post read request phase
2) fixup phase

And why can't you do that with a simple custom written module?

-- 
  Thomas Eibner  DnsZone 
  mod_pointer  
  !(C)  
  Putting the HEST in .COM

Re: Rewriting incoming & outgoing headers

2002-07-19 Thread Graham Leggett

[EMAIL PROTECTED] wrote:

> The biggest problem we have is with redirections that are being returned
> to the browser.

Ok.

> We use the Netegrity SiteMinder product to implement single sign on
> for the entire web server park. The SiteMinder web agent that is plugged
> into each web server assesses whether a user has already logged in
> (cookies) and if not redirects back to the logon web server which
> performs the logon process (with all sorts of fancy smart card
> technology if needed).
> 
> This means that SiteMinder returns a 30x reply with a Location header
> that goes something like:
> 
> Location: 
>http://loginserv.internal.bigacme.com?return=http://webserv.internal.bigacme.com

The "return" paramter is yuck - this is what is making the wheels fall off.

Currently the ProxyPassReverse directive fixes the URLs of headers which 
are themselves URLs, but it does not fix any parameters embedded in the 
URL itself (in your case, the "return" parameter).

Does mod_rewrite not do header rewriting?

Your second problem is that SiteMinder seems to be redirecting you to 
the internal name of the authentication website. As far as Apache is 
concerned, it only knows about the *current* website. If some other 
website you redirect to (in this case the auth site) is also behind a 
hidden URL, Apache has no way of knowing this is the case.

Tell your SiteMinder agents that your login server can be found at 
http://login.bigacme.com/ (the external address of the login server, 
wherever that is). This will solve half your problem.

Regards,
Graham
-- 
-
[EMAIL PROTECTED] 
"There's a moon
over Bourbon Street
tonight..."

Re: Rewriting incoming & outgoing headers

2002-07-19 Thread josv

Jul 19, 2002 at 09:20:58AM +0200
X-Last-Book-Read: "A big boy did it and ran away" by Christopher Brookmyre
X-Mini-Review: One more reason to play Quake III :-)
X-Full-Review: See http://josvisser.nl/bookcorner.html
X-Now-Reading: "Het evangelie volgens Jezus Christus" by José Saramago
X-URL: http://josvisser.nl
X-Message: Why not read http://josvisser.nl/groundzero.html

The biggest problem we have is with redirections that are being returned
to the browser. Because our web servers are behind a set of reverse
proxies (currently *three* deep! There is nothing I/we can do about that
because it is "corporate policy"), the web servers are not visible
directly from the outside. So there is a whole set of servers with
internal names (that are not known in the outside DNS) that all
masquerade behind www.bigacme.com/so_and_so...

We use the Netegrity SiteMinder product to implement single sign on
for the entire web server park. The SiteMinder web agent that is plugged
into each web server assesses whether a user has already logged in
(cookies) and if not redirects back to the logon web server which
performs the logon process (with all sorts of fancy smart card
technology if needed).

This means that SiteMinder returns a 30x reply with a Location header
that goes something like:

Location: 
http://loginserv.internal.bigacme.com?return=http://webserv.internal.bigacme.com

Both internal names are not visible from the outside, so the Location
header needs to be rewritten to contain a redirect to:

Location: http://www.bigacme.com/login?return=http://www.bigacme.come/some_app

(Examples are highly simplified and stylized, but you get the picture...)

Now, reverse proxies can typically rewrite the host part of the Location
header, but not the URI/Query_String part. We are having all sorts of
headaches with this. There are some related smaller problems as well
(e.g. the incoming Host header).

Now, I am the first to acknowledge that my customer's network/proxy/DNS
structure is all f*cked up, but it is out of my control (out of anyone's
control basically :-), hence my desire to solve it as good as I can in
the pieces that *are* under my control...

++Jos.nl

And thus it came to pass that Graham Leggett wrote:
(on Fri, Jul 19, 2002 at 09:20:58AM +0200 to be exact)

> [EMAIL PROTECTED] wrote:
> 
> > Now, your opinion is greatly valued on the following:
> > 
> > - Is my reasoning about the impossibility to achieve this with a
> >   (standard) module correct?
> > - Would a generic header rewriting feature be deemed a worthwhile
> >   addition to the core?
> 
> First off - what are the problems that exist you are trying to solve?
> 
> The minute I see the requirement to start rewriting things all over
> the 
> show my instinct kicks in saying "simplify, simplify".
> 
> Regards,
> Graham
> -- 
> -
> [EMAIL PROTECTED] 
>   "There's a moon
>   over Bourbon Street
>   tonight..."

-- 
"Freedom" is just another word for "nothing left to lose"...

Re: Rewriting incoming & outgoing headers

2002-07-19 Thread Graham Leggett

[EMAIL PROTECTED] wrote:

> Now, your opinion is greatly valued on the following:
> 
> - Is my reasoning about the impossibility to achieve this with a
>   (standard) module correct?
> - Would a generic header rewriting feature be deemed a worthwhile
>   addition to the core?

First off - what are the problems that exist you are trying to solve?

The minute I see the requirement to start rewriting things all over the 
show my instinct kicks in saying "simplify, simplify".

Regards,
Graham
-- 
-
[EMAIL PROTECTED] 
"There's a moon
over Bourbon Street
tonight..."

Re: Rewriting incoming & outgoing headers

Re: Rewriting incoming & outgoing headers

Re: Rewriting incoming & outgoing headers

Re: Rewriting incoming & outgoing headers

Re: Rewriting incoming & outgoing headers

5 matches

Site Navigation

Mail list logo

Footer information