[Zope] Apache-Rewrite - Firewall - Problem

Andreas Tille tillea at rki.de
Fri Mar 23 10:51:36 EDT 2007


Hi,

I'm using an often recommended Apache-Zope rewrite setup to
mask the internal folder structure in Zope.  The cruxial line
in my apache (Debian Etch packaged version 2.2.3) is


RewriteRule ^(.*) http://a.b.c.d:9673/VirtualHostBase/http/a.b.c.d:80/myfolder/VirtualHostRoot$1 [P,L]


where a.b.c.d is the visible address of the machine from
outisde the firewall, myfolder the folder of my Zope
application I want to provide under  a.b.c.d:80
and as Debian users might are comfortable with 9673 the
Zope port (default for Debian).

This setup works fine for the old firewall which is not so
strict as the new one, that causes the trouble.
The new one exclusively enables port 80 (no 22, 25 etc.).

If I try the rewrite rule above I get the following line in
error.log:

[<date>] [error] (110)Connection timed out: proxy: HTTP: attempt to connect to a.b.c.d:9673 (*) failed

access.log says:

194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] "GET / HTTP/1.0" 503 405

For Debugging purpose I also write a debugging log:

   (the IP-Adress is replaced by a.b.c.d and the visible DNS name by visible.name)

194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] [visible.name/sid#81869c0][rid#81dc4c0/initial] (2) init rewrite engine with requested uri /
194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] [visible.name/sid#81869c0][rid#81dc4c0/initial] (3) applying pattern '^(.*)' to uri '/'
194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] [visible.name/sid#81869c0][rid#81dc4c0/initial] (2) rewrite '/' -> 'http://a.b.c.d:9673/VirtualHostBase/http/a.b.c.d:80/agi/VirtualHostRoot/'
194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] [visible.name/sid#81869c0][rid#81dc4c0/initial] (2) forcing proxy-throughput with http://a.b.c.d:9673/VirtualHostBase/http/a.b.c.d:80/agi/VirtualHostRoot/
194.95.177.123 - - [23/Mar/2007:13:46:58 +0100] [visible.name/sid#81869c0][rid#81dc4c0/initial] (1) go-ahead with proxy request proxy:http://a.b.c.d:9673/VirtualHostBase/http/a.b.c.d:80/agi/VirtualHostRoot/ [OK]


This is exactly the rewrite log I get on the machine that works
perfectly behind the old firewall, but the niew one cases the
strange error above.

When I searched the web with the string in my error.log I stumbled upon
the site

      http://www.dharwadkar.com/weblog/apache_fc6_01

which gives a slight hint, but there is no SELinux on my box at all but
there is a hint to the firewall that might cause the problem.

I have a vague suspection that this might be very slightly connected
with the fact that when I formerly followed the recommendation of

    http://plone.org/documentation/how-to/plone-with-apache-1.3

to use "localhost" instead of the IP Adress of the server (or the FQDN)
I blatantly failed because the localhost directive was interpreted by
my browser that tried to access a local server (that did not existed).
So I learned by this that these Rewrite directives are not addressed
to the webserver to deliver a different page than requested but
to tell the browser to ask for a different page on the server.  If
I think about this I wonder whether this is a reasonable strategy of
redirection and because I do not regard this as reasonable I'm wondering
whether there is an option I could change this behaviour in a way that
the server directly answers with the result that can be obtained at
the rewritten location - which would probably solve my problem.
If my suspection that the Browser is advised to obtain the
    http://a.b.c.d:9673/...
something address it is obviouse that this must fail because port
9673 is blocked and there would never be a chance to get any page.

Kind regards

          Andreas.

-- 
http://fam-tille.de


More information about the Zope mailing list