ProxyForwarding (IIPserver/HTTPserver+viewer)

Help
DGSL
2009-09-08
2012-10-06
  • DGSL
    DGSL
    2009-09-08

    I am trying to figure out how to set Apache config but I am getting a bit lost with this.
    I have 2 Ubuntu servers, on a LAN behind a router, so both share the same public IP.
    I will show here LAN IPs:

    (1) - Apache-fastcgi-IIPserver runs on 192.168.1:5:8080
    This is seen from outside at http://mydomain:8080
    These lines are in /etc/apache2/apache2.conf

    Create a directory for the iipsrv binary:

    ScriptAlias /fcgi-bin/ "/var/www/fcgi-bin/"

    Set the options on that directory:

    <Directory "/var/www/fcgi-bin/">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
    # Set the module handler
    AddHandler fastgi-script .fcgi
    </Directory>

    So my IIPserver is seen at ...
    http://mydomain:8080/fcgi-bin/iipsrv.fcgi
    http://my-public-IP:8080/fcgi-bin/iipsrv.fcgi
    http://192.168.1.5:8080/fcgi-bin/iipsrv.fcgi
    ... and all of them work (tested from other machines in the LAN)

    (2) - Apache-MySQL-PHP runs on 192.168.1.102:80
    (I also plan to run IIPmooviewer on it)
    This is seen from outside at http://mydomain:80
    These lines are in /etc/apache2/apache2.conf

    ProxyPass /fcgi-bin/iipsrv.fcgi http://192.168.1.5:8080/fcgi-bin/iipsrv.fcgi
    ProxyPassReverse /fcgi-bin/iipsrv.fcgi http://192.168.1.5:8080/fcgi-bin/iipsrv.fcgi

    But for some reason, this doesn't work:

    http://mydomain:80/fcgi-bin/iipsrv.fcgi
    http://my-public-IP:80/fcgi-bin/iipsrv.fcgi
    http://192.168.1.102:80/fcgi-bin/iipsrv.fcgi
    http://192.168.1.102:8080/fcgi-bin/iipsrv.fcgi

    ... for all of them I got this error:

    Forbidden
    You don't have permission to access /fcgi-bin/iipsrv.fcgi on this server.
    Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.5 with Suhosin-Patch Server at ...whatever... Port 80

    For the last one (192.168.1.102:8080) I would expect a NOT FOUND error (since the server runs at port 80) ... so I am really lost on how to configure all this.

    To explain and mess things a little bit more, my 192.168.1.5:8080 IIPserver machine is running on VirtualBox (guest=Ubuntu, host=WinXP) using NAT forwarding: so, Apache runs actually on port 80 at guest machine but is seen on 8080 at host machine.
    Apparently everything (firewall and NAT configuration) is configured OK, since the IIPserver is being accesible at 8080 on internet.
    The only problems are when I try to do the ProxyForwarding ... perhaps I am doing something wrong or things are a litle bit tricky due to VirtualBox NAT usage?

    Thanks

     
    • DGSL
      DGSL
      2009-09-08

      ... perhaps I should recreate the same alias definition for /fcgi-bin/ at the server which is not running the IIPserver?

      Create a directory for the iipsrv binary:

      ScriptAlias /fcgi-bin/ "/var/www/fcgi-bin/"

      Set the options on that directory:

      But I don't know how I can set the access options "Allow from all", since this is not a local directory

      Thanks for your help in advance, I know this is not an IIPserver but an Apache question

       
  • DGSL
    DGSL
    2009-09-12

    No ... the alias did not help

    I tried the same proxyforwarding steps on a WinXP+Apache machine on the same
    LAN (192.168.1.10:8001), and it worked: I can access my VirtualBox ubuntu
    IIPserver (192.168.1.102:8080) as if it was installed on that Windows machine
    IP/port. So, at least I am sure this was not a problem of my IIP server, but
    my LAMP server.

    So what's wrong with the Ubuntu LAMP server at 192.168.1.2:80?

    I googled and found that in Debian/Ubuntu version of Apache 2, many
    configuration steps are different
    to what is documented in IIP server pages.

    For example, to load Apache modules (like proxy or proxy_http), you don't
    touch main httpd.conf file with this kind of lines:

    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_http_module modules/mod_proxy_http.so

    ... instead, you have to add proxy.load and proxy_http.load files into this
    folder:
    /etc/apache2/mods-enabled

    Those .load files will contain the "Loadmodule" lines that you used
    to write in main apache httpd.conf file


    OK ... but I had already discovered and done ALL THIS before my first post.
    So, there should be something else.

    I found pages touching <proxy> directives (either in apache2.conf or
    proxy.conf) ... so, what lines of which file should I change to run IIP
    safely?

    I discovered that changing the "Deny from all" line at
    proxy.conf
    to "Allow from all" makes things work, but I read this
    is unsafe.

    Now I wonder howto "Allow" just to access IIP server but not
    exposing other things?

    Some links I used, hopefully they will help somebody else:

    http://www.ducea.com/2006/05/30/managing-apache2-modules-the-debian-
    way/

    http://serbiancafe.wordpress.com/2006/10/20/apaches-proxypass-on-
    ubuntu/

    http://thelowedown.wordpress.com/2008/10/12/reverse-proxy-with-
    apache/

    http://speeves.erikin.com/2007/01/debianapache2-modproxy-
    forbidden.html

    http://www.wlug.org.nz/ApacheReverseProxy

     
  • DGSL
    DGSL
    2009-09-12

    well, now I can call my IIP server from another server (of mine) using
    ProxyPassReverse ...

    can I avoid other people from doing so (loading my server content) from their
    web servers?
    Is there a way that the server which provides contents detects the URL used,
    so it redirects to the legitimate host?

     
  • Ruven
    Ruven
    2009-09-17

    can I avoid other people from doing so (loading my server content) from their web servers? Is there a way that the server which provides contents detects the URL used, so it redirects to the legitimate host

    What do you mean exactly? Your proxied fgi server needs to remain accessible
    via the proxy so that the client can connect. However, connections to anything
    other than /fcgi-bin/ can be easily forbidden.

     
  • Ruven
    Ruven
    2009-09-17

    There is no easy way to stop this. Your iip server must be publicly available
    if you want to have clients, so someone can use a proxy to tunnel it. They
    could do this for any site or resource. It works in the same way as an
    anonymous proxy.

    If you discover somebody doing this, you could block their IP address.
    Alternatively, if you do a Google search, you can find a few more general
    methods, such as . However none are 100% effective.

    In any case, they are not really stealing your bandwidth as the proxy means
    they also have to re-send all the bytes from your images themselves. They are,
    nevertheless, using your images.

    : http://perishablepress.com/press/2008/04/20/how-to-block-proxy-servers-via-
    htaccess/

     
  • DGSL
    DGSL
    2009-09-20

    You are right Ruven, I missed something

    I was thinking about 2 different approaches but I just wrote the first one.
    The really "stealing" one would be hotlinking your server images
    from outside your server domain, like if I show this image on my server (or
    here, in sourceforge) without storing it, like this:

    &lt;IMG SRC=[http://merovingio.c2rmf.cnrs.fr/fcgi-bin/iipsrv.fcgi?FIF=/home/er os/iipimage/heic0601a.tif&amp;WID=400&amp;CVT=jpeg&gt;](http://merovingio.c2rm f.cnrs.fr/fcgi-bin/iipsrv.fcgi?FIF=/home/eros/iipimage/heic0601a.tif&amp%3BWID =400&amp%3BCVT=jpeg&gt%3B)

    <IMG SRC=http://merovingio.c2rmf.cnrs.fr/fcgi-bin/iipsrv.fcgi?FIF=/home/er
    os/iipimage/heic0601a.tif&WID=400&CVT=jpeg>

    Any approaches to prevent this?

     
  • Ruven
    Ruven
    2009-09-21

    As IIPMooViewer uses an Ajax request to get the image metadata, the iipsrv
    host must be the same as the site from which it is hosted.

    Another approach that I have never tried but may work, would be to filter
    within Apache using the referrer string. I'm not sure all browsers handle this
    correctly so it's not sure it always work. Alternatively, this could be done
    via some sort of session management. Perhaps this can be done directly via
    Apache. Otherwise, session management code would need to be added to the IIP
    server!

     


Anonymous


Cancel   Add attachments