|
Greetings LAS installers, We recently had someone using our web server to send out zillions of spam email messages. They were able to do this because we had 'forward proxying' turned on in Apache. This enabling of forward proxying was actually recommended by us in an old las_users email: http://ferret.pmel.noaa.gov/Ferret/LAS/Mail_Archives/fu_2002/msg00166.htmlThis turns out to be a major security no-no and is not at all required for LAS. For LAS it is often useful to use 'reverse proxying' to let users use nice URLS like: http://your.domain.name/weatherinstead of ugly ones like http://your.domain.name:8080/WEATHER/servlets/datasetIf you have the Apache proxy module turned on you can accomplish this with following lines in your httpd.conf file: ProxyPass /WEATHER/ http://localhost:8080/WEATHER/ ProxyPassReverse /WEATHER/ http://localhost:8080/WEATHER/ RedirectPermanent /weather http://your.domain.name/WEATHER/servlets/dataset But you don't need to enable forward proxying for this to work. The following excerpts from our httpd.conf file show what is required to do this kind of proxying: LoadModule proxy_module /usr/lib/apache/libproxy.soThis last line is the important one -- don't turn on ProxyRequests! Here is a little clarification from the Apache documentation: The forward proxy is activated using the ProxyRequests directive. Because forward proxys allow clients to access arbitrary sites through your server and to hide their true origin, it is essential that you secure your server so that only authorized clients can access the proxy before activating a forward proxy.If you turn on ProxyRequests and " Allow from all" your are basically saying that anyone who wants to can do whatever mischief they want and pin the blame on your computer. So please have a look at your httpd.conf file and comment out the ProxyRequets line. We don't want LAS to get blamed for unnecessary security loopholes.. -- Jon |