#acl Natalie Prange:read,write All:read Many of our projects (student projects as well as research projects) run on one of our local machines, for example on ''vulcano.informatik.privat:8400'', but should be accessible from the outside, for example via ''http://aqqu.cs.uni-freiburg.de/proxy-test''. This is non-trivial when the latter URL is not a top-level URL, like ''http://aqqu.cs.uni-freiburg.de'', but contains a path, like the ''/proxy-test''. <> == Apache Config == The first step is to find out, which virtual host deals with the domain. In the example above, it's the Apache virtual host configured in ''filicudi:/etc/apaches2/sites-available/aqqu.conf'' and it contains (among others) the following lines: {{{ ServerName aqqu.informatik.uni-freiburg.de ServerAlias aqqu aqqu.cs.uni-freiburg.de [...] RewriteEngine On RewriteRule /proxy-test$ /proxy-test/ [R] ProxyPass /proxy-test http://vulcano.informatik.privat:8400 ProxyPassReverse /proxy-test http://vulcano.informatik.privat:8400 [...] }}} The effect of the ''!RewriteRule'' line is that when somebody types ''http://aqqu.cs.uni-freiburg.de/proxy-test'' in the browser (without a trailing slash), the browser will be redirected to ''http://aqqu.cs.uni-freiburg.de/proxy-test/''. The reason for this redirect is that the missing slash is problematic for many web applications. If you are curious, see the last section on this page. In any case, remember that details like a trailing / or not in the line in the configuration file are very important. The effect of the ''!ProxyPass'' line is that when somebody enters ''http://aqqu.cs.uni-freiburg.de/proxy-test/'' in the browser, then ''vulcano.informatik.privat:8400'' gets the request ''/''. Due to the redirect described in the previous paragraph, when somebody enters ''http://aqqu.cs.uni-freiburg.de/proxy-test'' (without a trailing slash), the combined effect of the ''!RewriteRule'' and the ''!ProxyPass'' line is that ''vulcano.informatik.privat:8400'' gets the following GET request: {{{ GET / HTTP/1.1 ... }}} The ''!ProxyPassReverse'' line is needed when the server at ''vulcano.informatik.privat:8400'' does further redirects. For a detailed exaplanation, see https://serverfault.com/questions/774041/what-is-the-use-of-proxypassreverse-directive . In any case, the line doesn't harm, so we always write it in the Apache configuration file. It's also easy because it is identical to the ''!ProxyPass'' line, except that ''Reverse'' is added. == Requirements of the web application == It is important that the web application only specifies either relative paths or absolute paths which take the path in the browser URL into account. For example, assume that somebody entered ''http://aqqu.cs.uni-freiburg.de/proxy-test/'' into the browser and the first thing the web application does is to serve the following html file: {{{

A simple HTML page

}}} Then the browser will send two GET requests with the following URLs: {{{ http://aqqu.cs.uni-freiburg.de/proxy-test/style.css http://aqqu.cs.uni-freiburg.de/proxy-test/script.js }}} This is good because these URLs match the proxy configuration from above. To serve these URLs, Apache will ask the following URLs: {{{ http://vulcano.informatik.privat:8400/style.css http://vulcano.informatik.privat:8400/script.js }}} The first line of the resulting GET requests received by ''vulcano.informatik.privat:8400'' will then be as follows. {{{ GET /style.css HTTP/1.1 GET /script.js HTTP/1.1 }}} Note that the first line of the GET request does not contain the ''proxy-test'' prefix. However, this information is given in one of the header lines that follow the first line, namely the ''Referer: ...'' line: {{{ Host: vulcano.informatik.privat:8400 Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36 Accept: */* Referer: http://aqqu.cs.uni-freiburg.de/proxy-test Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7 Cookie: _ga=GA1.2.1897526143.1483962283; ioam2018=001a120e44815d0655dc1c0e9:1599244525817:1572978925817:.uni-freiburg.de:10:ak025:dbs:noevent:1576359561488:y4r1b0 X-Forwarded-For: 132.230.239.31 X-Forwarded-Host: aqqu.cs.uni-freiburg.de X-Forwarded-Server: aqqu.informatik.uni-freiburg.de Connection: Keep-Alive }}} == Experimenting with a proxy without the redirect == Without the ''Redirect'' directive in the Apache configuration above, things can get tricky when a user enters ''http://aqqu.cs.uni-freiburg.de/proxy-test'' into the browser, '''without''' a trailing slash. This section tries to explain what happens. Below is a simple web server (written in Python3), which serves an ''index.html'', which in turn loads a file with the (relative) URL ''style.css'' and executes some !JavaScript that issues a GET request with the (relative) URL ''?query=hello''. When entering ''http://aqqu.cs.uni-freiburg.de/proxy-test'' into the browser, the following URLs are retrieved (see the network tab of the !JavaScript / developer console, which can be activated with F11 or Ctrl+Shift+J): {{{ http://aqqu.cs.uni-freiburg.de/proxy-test http://aqqu.cs.uni-freiburg.de/style.css http://aqqu.cs.uni-freiburg.de/proxy-test?query=hello }}} When entering ''http://aqqu.cs.uni-freiburg.de/proxy-test/'' into the browser, that is, '''with''' a trailing slash, the following URLs are retrieved: {{{ http://aqqu.cs.uni-freiburg.de/proxy-test/ http://aqqu.cs.uni-freiburg.de/proxy-test/style.css http://aqqu.cs.uni-freiburg.de/proxy-test/?query=hello }}} The ''?query=hello'' request can be handled, although it does require some extra care on the side of the web application running behind ''vulcano.informatik.privat:8400'' to deal with the fact that there might or might not be a slash before the ''?query=hello''. The ''style.css'' is more problematic. To be able to handle both cases, the web application must detect whether the prefix ''proxy-test'' is there, and if yes, remove it for this and all further requests to the app. This is complicated by the fact that at first, the web app does not know the name of the prefix. However, it can retrieve this information form the very first request it gets and then make use of it for all further requests. So it's possible, but a bit messy and it does require extra care on the side of the web application. It's certainly easier to just add the ''Redirect'' to the Apache configuration (see above). Then the web application still has to take care that all the URLs it produces are relative (or absolute with the right path), but that is relatively easy. == A simple web server for testing proxies == The following code was tested with Python 3.6.9 and it should work with any Python 3.x {{{ """ Copyright 2020, University of Freiburg Chair of Algorithms and Data Structures. Hannah Bast """ import sys import socket index_html = """

Test page returned by simple_server.py

Check JS console for style.css

if __name__ == "__main__": if len(sys.argv) != 2: print("Usage: python3 simple_server.py ") sys.exit(1) port = int(sys.argv[1]) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(("0.0.0.0", port)) s.listen() while True: print("\x1b[1mWaiting on port %d\x1b[0m ... " % port, end="", flush=True) connection, client_address = s.accept() connection.settimeout(5.0) print("connection from %s" % client_address[0], end="", flush=True) request = connection.recv(8192) # reads only one batch print(", request data is:") print(request.decode("utf-8")) result = index_html.encode("utf-8") headers = "HTTP/1.1 200 OK\r\n" \ "Content-Length: %d\r\n" \ "Content-Type: text/html\r\n" \ "\r\n" % len(result) connection.sendall(headers.encode("utf-8")) connection.sendall(result) connection.close() }}}