[Thread Prev][Thread Next][Index]

Re: LAS proxy security issue



Jonathan Callahan a écrit:
Greetings LAS installers,

We recently had someone using our web server to send out zillions of spam email messages. They were able to do this because we had 'forward proxying' turned on in Apache. This enabling of forward proxying was actually recommended by us in an old las_users email:

Hi Jhon,
So back to rain city ?

Here is ifremer proxy configuration, whos seems security ok:
(wlas is the las server behind the proxy)

# ProxyRequests On
ProxyPass /las-output http://wlas.ifremer.fr/las-output
ProxyPassReverse /las-output http://wlas.ifremer.fr/las-output
ProxyPass /las-bin http://wlas.ifremer.fr/las-bin
ProxyPassReverse /las-bin http://wlas.ifremer.fr/las-bin
ProxyPass /las http://wlas.ifremer.fr/las
ProxyPassReverse /las http://wlas.ifremer.fr/las

I have no RedirectPermanent directive
but a
/var/lib/tomcat4/webapps/las/index.jsp
<%
response.sendRedirect("http://www.ifremer.fr/las/servlets/dataset";);
%>

Well, I think the RedirectPermanent is probably better, almost for web statistics like awstats.

But i think There *also* a las code modification to do:
in las/server/LAS/Server.pm
"http://"; . $ENV{SERVER_NAME} . ":" . $ENV{SERVER_PORT} .
$loc . basename($_) } @{$files};
should changed to
"http://"; . $ENV{PROXY_NAME} . ":" . $ENV{PROXY_PORT} .
$loc . basename($_) } @{$files};
with PROXY_NAME and PROXY_PORT set to www.ifremer.fr in the file ... Witch file ???

Because html automatic genetation make output html pages whith
<img border="0" src="http://wlas.ifremer.fr/las-output/17cf567e2f4772d596f3ef40b8318d21.gif";>

and wlas is *behind* the firewall, and you can't see the nice output gif....


So my proxy configuration seems to be little complex than yours. Il will try yours to seem if its friendly with my 'secure las server'.

By the way, I hope i would have time to contribute to las devel for this 'secure las server'. But a the time, I've got to work on the linux secure web server side, who is a linux whith / mounted from nfs *read-only*


On the other hand, this mail is a pre-announce of a new LAS serveur up at ifremer: http://www.ifremer.fr/las

'official annouce' should be done in a near future...


Amicalement,

--
Olivier




[Thread Prev][Thread Next][Index]

Dept of Commerce / NOAA / OAR / PMEL / TMAP
Contact Us | Privacy Policy | Disclaimer | Accessibility Statement