problem with cookie domains and mod

Discussion:

problem with cookie domains and mod_proxy, Apache 1.3.27

Weiss, Ken

2003-03-20 20:46:45 UTC

I have configured Apache 1.3.27 to operate as a reverse proxy. My proxy runs
on proxybox.schwab.com. I have a content server sitting behind it,
content.schwab.com. I can access the following URL, and it works perfectly:

http://proxybox.schwab.com/content <http://proxybox.schwab.com/content>

I get the content that is sitting on content.schwab.com. So all the reverse
proxy stuff is working fine.

Here's my problem. I use a cookie to authenticate people to
proxybox.schwab.com. This cookie has a domain of .proxybox.schwab.com, so it
should only be presented to that specific host. Web servers running on any
other host should not be able to see this cookie. But, I can see the cookie
on content.schwab.com.

It appears that mod_proxy passes all headers, including cookies with very
restrictive domains, to the content servers. Even though the cookie has a
domain set that should prevent it from going to any other servers, it still
gets passed along.

Is there any way to configure mod_proxy so it will stop doing this? Is there
any way to modify mod_proxy to filter a specific cookie from the header
before passing the request to the content server?

--Ken

---------------------------------------------------------------

Ken Weiss ***@schwab.com

Directory Services 415-667-1424 (voice)

Charles Schwab & Co. 415-786-1545 (cell)

SF211MN-10-353 415-667-1797 (fax)

101 Montgomery St.

San Francisco, CA 94104

WARNING: All email sent to this address will be received by the Charles
Schwab & Co., Inc. corporate email system and is subject to archival and
review by someone other than the recipient.

Mathias Herberts

2003-03-21 07:34:04 UTC

Permalink

Humm second thought, we are not running the same config, no auth is done
on our reverse proxies, and I personnaly think this is not the place for
auth as reverse proxies should really be transparent.

I guess the actual mod_proxy code will not enable you to fix your
problem. Maybe Apache 2.0 has more features for tweaking headers.

Regards,

Mathias.

Post by Weiss, Ken
I have configured Apache 1.3.27 to operate as a reverse proxy. My proxy runs
on proxybox.schwab.com. I have a content server sitting behind it,
http://proxybox.schwab.com/content <http://proxybox.schwab.com/content>
I get the content that is sitting on content.schwab.com. So all the reverse
proxy stuff is working fine.
Here's my problem. I use a cookie to authenticate people to
proxybox.schwab.com. This cookie has a domain of .proxybox.schwab.com, so it
should only be presented to that specific host. Web servers running on any
other host should not be able to see this cookie. But, I can see the cookie
on content.schwab.com.
It appears that mod_proxy passes all headers, including cookies with very
restrictive domains, to the content servers. Even though the cookie has a
domain set that should prevent it from going to any other servers, it still
gets passed along.
Is there any way to configure mod_proxy so it will stop doing this? Is there
any way to modify mod_proxy to filter a specific cookie from the header
before passing the request to the content server?
--Ken
---------------------------------------------------------------
Directory Services 415-667-1424 (voice)
Charles Schwab & Co. 415-786-1545 (cell)
SF211MN-10-353 415-667-1797 (fax)
101 Montgomery St.
San Francisco, CA 94104
WARNING: All email sent to this address will be received by the Charles
Schwab & Co., Inc. corporate email system and is subject to archival and
review by someone other than the recipient.

--
-- Informatique du Credit Mutuel ---- Reseaux et Systemes Distribues
-- 32 rue Mirabeau -- Le Relecq-Kerhuon -- 29808 Brest Cedex 9, FRANCE
-- Tel +33298004653 - Fax +33298284005 - Mail ***@gicm.fr
-- Key Fingerprint: 8778 D2FD 3B4A 6B33 10AB F503 63D0 ADAE 9112 03E4

Ian Holsman

2003-03-21 13:27:23 UTC

Permalink

I don't think 2.0 has any specific options for not passing specific cookies through.
I'm not sure how easy it would be. Looking at a tcpdump of port80 traffic, it doesn't
look like the request passes the domain back.

I guess the only way would be for the site admin to explitly block a cookie, but I don't belive
that option exists at the moment, and I can't think of a workaround via rewrite.

Sorry Ken.

ps.. if this is really really big pain for you, we could add a directive to mask cookies
but It would probably end up in the standard 2.0 distribution, not 1.3

--ian

Post by Mathias Herberts
Humm second thought, we are not running the same config, no auth is done
on our reverse proxies, and I personnaly think this is not the place for
auth as reverse proxies should really be transparent.
I guess the actual mod_proxy code will not enable you to fix your
problem. Maybe Apache 2.0 has more features for tweaking headers.
Regards,
Mathias.

Post by Weiss, Ken
I have configured Apache 1.3.27 to operate as a reverse proxy. My

proxy runs

Post by Weiss, Ken
on proxybox.schwab.com. I have a content server sitting behind it,
content.schwab.com. I can access the following URL, and it works
http://proxybox.schwab.com/content

<http://proxybox.schwab.com/content>

Post by Weiss, Ken
I get the content that is sitting on content.schwab.com. So all the

reverse

Post by Weiss, Ken
proxy stuff is working fine.
Here's my problem. I use a cookie to authenticate people to
proxybox.schwab.com. This cookie has a domain of .proxybox.schwab.com,

so it

Post by Weiss, Ken
should only be presented to that specific host. Web servers running on

any

Post by Weiss, Ken
other host should not be able to see this cookie. But, I can see the

Post by Weiss, Ken
on content.schwab.com.
It appears that mod_proxy passes all headers, including cookies with

very

Post by Weiss, Ken
restrictive domains, to the content servers. Even though the cookie

has a

Post by Weiss, Ken
domain set that should prevent it from going to any other servers, it

still

Post by Weiss, Ken
gets passed along.
Is there any way to configure mod_proxy so it will stop doing this? Is

there

Post by Weiss, Ken
any way to modify mod_proxy to filter a specific cookie from the

header

Post by Weiss, Ken
before passing the request to the content server?
--Ken
---------------------------------------------------------------
Directory Services 415-667-1424 (voice)
Charles Schwab & Co. 415-786-1545 (cell)
SF211MN-10-353 415-667-1797 (fax)
101 Montgomery St.
San Francisco, CA 94104
WARNING: All email sent to this address will be received by the

Charles

Post by Weiss, Ken
Schwab & Co., Inc. corporate email system and is subject to archival

and

Post by Weiss, Ken
review by someone other than the recipient.