昨晩 twitter ã§ã€ã€Œãƒãƒƒã‚¯ã‚¨ãƒ³ãƒ‰ã®ã»ã†ã§ Digest èªè¨¼ã•ã‚Œã¦ã„ã‚‹ã¨ã“ã‚ã« mod_proxy 㧠Reverse proxy ã§ããªã„ã€ã¨ã„ã†è©±ãŒã‚ã£ãŸã®ã§ã¡ã‚‡ã£ã¨è©¦ã—ã¦ã¿ãŸã€‚
ã‚れ?mod_proxyã¨ã‹ã ã¨digestèªè¨¼å‡ºæ¥ãªã„ã®ã‹ï¼Ÿãƒªãƒãƒ¼ã‚¹ãƒ—ãƒã‚ã‚·ã«ã‚¢ã‚¯ã‚»ã‚¹ã—ãŸæ™‚点ã§èªè¨¼ã•ã›ã‚‹å½¢ã¨ã‹mod_rewriteã§ã‚´ãƒ‹ãƒ§ã‚´ãƒ‹ãƒ§ã•ã›ã‚‹æ–¹æ³•ã¨ã‹ã—ã‹ç„¡ã„ã®ã‹ãªã€‚
çµè«–ã‹ã‚‰è¨€ã†ã¨ã€
- uri (path) ãŒè¡¨ã¨è£ã§åŒä¸€ãªã‚‰å•é¡Œãªã—
- 別㮠uri ( 表:/foo => è£:/bar ãªã© ) ã ã¨èªè¨¼ã«å¤±æ•—ã™ã‚‹
ã¨ã„ã†çµæžœã«ã€‚
Digest èªè¨¼ã®ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã§ã¯ã€Authorization ヘッダã®ç”Ÿæˆã« uri も使用ã™ã‚‹ãŸã‚ã€ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆãŒèªè˜ã—ã¦ã„ã‚‹ uri ã¨ãƒãƒƒã‚¯ã‚¨ãƒ³ãƒ‰ãŒèªè˜ã—ã¦ã„ã‚‹ uri ãŒç•°ãªã‚‹ã¨ãƒ˜ãƒƒãƒ€ã®æ¤œè¨¼ã«å¤±æ•—ã™ã‚‹ã€ã¨ã„ã†ã®ãŒåŽŸå› らã—ã„。
今回㯠reverse proxy ã‚‚ãƒãƒƒã‚¯ã‚¨ãƒ³ãƒ‰ã‚‚ Apache-2.2 ã ã‘ã©ã€ãŠãらãä»–ã® web server ã§ã‚‚事情ã¯åŒã˜ã¯ãšã€‚
以下検証作æ¥ãƒã‚°ã€‚
実㯠Digest èªè¨¼ã‚’ã¡ã‚ƒã‚“ã¨ä½¿ã£ãŸã“ã¨ãŒãªã‹ã£ãŸã®ã§é©å½“ã«è¨å®šã€‚ãƒãƒƒã‚¯ã‚¨ãƒ³ãƒ‰ã¯ CentOS-5 / Apache-2.2.3
AuthType Digest AuthName "Secret Zone" AuthDigestDomain /digest/ AuthDigestProvider file AuthUserFile /tmp/htdigest Require user secret
$ htdigest -c /tmp/htdigest "Secret Zone" secret
Reverse Proxy 㯠Apache-2.2.17 をソースã‹ã‚‰ proxy 有効ã«ã—ã¦ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã€‚
$ ./configure --enable-proxy --prefix=/path/to/apache
httpd.conf ã« ProxyPass è¨å®š
Listen 10080 ProxyPass /digest http://127.0.0.1/digest
ã“ã‚Œã§è¡¨ã‚‚è£ã‚‚ /digest ã¨ã„ㆠuri ã«ãªã‚‹ãŒã€ã“ã‚Œã ã¨å•é¡Œãªãèªè¨¼ãŒé€šã‚‹ã€‚
ProxyPass /xxxxxx http://127.0.0.1/digest
ã“ã®ã‚ˆã†ã«ã€è¡¨ /xxxxxx => è£ /digest ã¨ã™ã‚‹ã¨ã€è£ã®ã»ã†ã§ã‚¨ãƒ©ãƒ¼ãƒã‚°ã«
Digest: uri mismatch - </xxxxxx/> does not match request-uri </digest/>
ã¨è¨˜éŒ²ã•ã‚Œã€400 Bad Request ã«ãªã‚‹ã€‚
