Drake CMS Official Forums - read-only archive

You are reading the Drake CMS Official Forums archive, available for historical purposes only.

Drake CMS has been rebranded into Lanius CMS, visit the new Lanius CMS Official Forums if you need support about Lanius CMS or Drake CMS -> Lanius CMS migration.



Home page Security issues > Drake User Managment + Drake Wrapper <--> ProxyPass (Apache) Permanent link to this page
 
 
Author Message:
aslinux
Drake User Managment + Drake Wrapper <--> ProxyPass (Apache)
08 July 2007 11:05
Anonymous i use der drake wrapper to host a webpage and the drake user managment to access control to this wrapper-menuitem.
the hosted webpage is behind my apache (internal network) so that i configured the apache with proxypass to host the page.

example:
a) ProxyPass /servicexyz/ http://192.168.0.5:8008/
coolWrapper menuitem = http://myhomepage.org/servicexyz/


now the problem is that everyone can host /servicexyz but only drake user should do that!
how can i resolve this problem?
any ideas?
 
legolas558
Re: Drake User Managment + Drake Wrapper <--> ProxyPass (Apache)
10 July 2007 16:12
Anonymous I think that the only feasible solution is that you retrieve the proxied page content via PHP (file_get_contents() should do the trick) and then send it into the output ONLY if the user has enough priviledges.

This way, if you never publicly show the internal address you'll be safe. You might also want to allow only your server to access that internal page and to suppress any error message that might disclose the internal address.
 
aslinux
Re: Drake User Managment + Drake Wrapper <--> ProxyPass (Apache)
10 July 2007 20:08
Anonymous you mean that wrapper menuitem is set to http://192.168.0.5:8008/!
this way was my first idea too. but the problem was that form the internet a dns-error occurred.
i´m apache configuration problem?

my second idea is to use a "apache handler"!
<Location /servicexyz/>
SetHandler <drake user managment>
Order Allow,Deny
Allow from all
</Location>
 
legolas558
Re: Drake User Managment + Drake Wrapper <--> ProxyPass (Apache)
10 July 2007 21:35
Anonymous No, I mean that you wrap a .php file containing something like

Code:


global $my;
if ($my->gid>=1) { // if the user is registered
echo file_get_contents('http://192.168.0.5:8008/');
}


But you should be sure that the page at the internal address does not contains full urls (of your intranet) in the HTML output; and some raw url rewriting may be needed in order to allow navigation through such PHP proxy.
 
aslinux
Re: Drake User Managment + Drake Wrapper <--> ProxyPass (Apache)
12 July 2007 18:48
Anonymous i have tested your idea. generally it works :-)

1.) rewriting in apache
Code:

LoadModule rewrite_module /usr/lib/apache2-prefork/mod_rewrite.so
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http://myhomepage.org/servicexyz/start.php
RewriteRule /servicexyz/(.*)$ http://192.168.0.5:8008/$1


2.) start.php to wrap the intranet and use drake user managment
Code:

<?php

require 'core.php';
include $d_root.'includes/header.php';

global $my;
if ($my->gid >=1) {
echo file_get_contents("http://192.168.0.5:8008/");
}
?>


3.) wrapper menu item is set to http://myhomepage.org/servicexyz/start.php

the page is correctly displayes.
but on the page is a submit-button and the infos where not correct rewritten!

now sadhttp://192.168.0.5:8008/start.php?action=anything

correct cheerfulhttp://192.168.0.5:8008/?action=anything

any ideas to correct the RewriteRule?
 
legolas558
Re: Drake User Managment + Drake Wrapper <--> ProxyPass (Apache)
12 July 2007 21:58
Anonymous Quote:

i have tested your idea. generally it works :-)

1.) rewriting in apache


You should not use Apache rewrite rules, otherwise people will be able to access your intranet URLs anyway...

Quote:

2.) start.php to wrap the intranet and use drake user managment


If you wrap it using the "PHP include mode" and not the iframe mode you won't need to include core.php and header.php

Quote:

but on the page is a submit-button and the infos where not correct rewritten!


You do not have to use Apache rewrite rules, you just have to make the necessary str_replace() (or preg_replace()) on the page content before echoing it out. Also, you might want to check if $_POST is empty or not and then have your php script make a POST request and fetch the results on screen (see the PHP manual for that).

Regards smile
 
aslinux
Re: Drake User Managment + Drake Wrapper <--> ProxyPass (Apache)
16 July 2007 14:23
Anonymous now i have tested the PHP-way.

1.) load the page
2.) load needed src and href files by manipulate the url with my attribute "remotefile="
3.) look at $_POST but always empty!

it seems that the page 192.168.0.5:8008 is build with javascript!
when i turn off the login startpage (later i don´t need this login!) then firstly the next page is not correctly displayed and secondly an errror "Invocation of webservice "ibox.xml" failed with http status code 404" occurred.

does the PHP-way should work with "all" pages?


here my "servicexyz/start.php":
Code:

<?php
$urlmaker = 0;
$myurl = "http://192.168.0.5:8008/";

if ( count( $_POST ) >= 1 )
{
// always empty!
}

if ( count( $_GET ) >= 1 )
{
// preparing the new url

foreach( $_GET as $key=>$val )
{
if ( $key != "remotefile" )
{
if ( $urlmaker == 0 )
{
$urlmaker = 1;
$myurl = $myurl."?";
}
$myurl = $myurl.$key."=".$val;
}
else
{
$myurl = $myurl.$val;
}
}
}

// load
$data = file_get_contents($myurl);

// rewrite included url`s
$datanew = str_replace("src=\"", "src=\"servicexyz/start.php?remotefile=", $data);
$datanew = str_replace("href=\"", "href=\"servicexyz/start.php?remotefile=", $datanew);

// my wrapped page
echo $datanew;
?>


 
legolas558
Re: Drake User Managment + Drake Wrapper <--> ProxyPass (Apache)
17 July 2007 08:22
Anonymous This thread is offtopic: not about Drake CMS security neither Drake CMS sad
Anyway, to address your problem: maybe the page you are proxying uses AJAX.

I suggest you to start a new topic in the off-topic area of these forums, then state clearly what is your situation (e.g. available stuff) and what you want to achieve. I think it's possible to make it work, btw.

Regards
 
aslinux
Re: Drake User Managment + Drake Wrapper <--> ProxyPass (Apache)
27 July 2007 12:44
Anonymous Now i have started the topic "How to implement the ProxyPass from Apache in PHP?" in the off-topic area.


 
trex1512
Re: Drake User Managment + Drake Wrapper <--> ProxyPass (Apache)
27 July 2007 16:48
Anonymous Hi

No worries.. smile
Hope you can get a discussion going to help you out...


TerryF
 
Top