如何在Apache重写规则中使用Referrer Header的部分内容

时间:2016-10-06 22:13:47

标签: apache mod-rewrite proxy

我正在编写各种通用代理 - 因此我可以http://<proxy-host>/<host-to-proxy-to>/<port>/<path>/形式访问单个主机,该主机当前使用重写代理请求https://<host-to-proxy-to>:<port>/<path>

我有那部分工作,它似乎做我想要的。然而,在某些情况下,我正在使用强制网站强制根相对URL。有问题的申请并不是特别容易(在某些情况下是不可能的)改变。

我的问题是如何识别攻击apache的根相对URL,并将它们代理到正确的主机。我已经确定正确的主机详细信息仍然在referrer标头的路径中,所以我试图拆分并在重写规则中使用referrer路径。

以下更新的代码:

<VirtualHost *:80>
  ServerName wtf.devbox-cole.orion.internal
  ServerAlias wtf.devbox-cole

  RewriteEngine On

  <LocationMatch "^/$">
    Header always set X-CRAP-BASE "Its working kinda"
    Redirect 410 /
  </LocationMatch>

  <Location /web/>
    Header always set X-CRAP-BASE "Hardly Working"
    RewriteCond %{HTTP_REFERER} "http://%{HTTP_HOST}/([a-zA-Z0-9_\.]*)/([0-9]*)/.*"
    RewriteRule (.*) https://%1:%2/$1 [P]
  </Location>

  <LocationMatch "^/(?<host>[a-zA-Z0-9_\.]*)/(?<port>[0-9]*)/(?<path>.*)">
    RewriteRule ".*" https://%{env:MATCH_HOST}:%{env:MATCH_PORT}/%{env:MATCH_PATH} [P]
    ProxyPassReverse "https://%{env:MATCH_HOST}:%{env:MATCH_PORT}/%{env:MATCH_PATH}"
  </LocationMatch>

  # Enable proxying to https://
  SSLProxyEngine On
  # Allow Proxying to https without valid cert
  SSLProxyVerify none
  # Disable Domain Nmae checking on the Certs
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  # disbaled cert expiryt Check
  SSLProxyCheckPeerExpire off

  LogLevel debug rewrite:trace8
  CustomLog "/var/log/apache2/wtf_log" "%h"
  ErrorLog "/var/log/apache2/wtf_error
</VirtualHost>

上面的代码仍然不能正常工作。仍试图追查原因..

1 个答案:

答案 0 :(得分:0)

因此经过多次尝试和阅读尽可能多的文档 - 我设法解决了我的初步问题。以下VHost块将代理http://domain.com/<host>/<port>/<path>发送到https://<host>:<port>/<path>,它会将来自该域的/web/*请求映射回适当的位置。 

<VirtualHost *:80>
  ServerName domain.com

  RewriteEngine On

  <LocationMatch "^/$">
    Header always set X-CRAP-BASE "Its working kinda"
    Redirect 410 /
  </LocationMatch>

  <Location /web/>
    Header always set X-CRAP-BASE "Hardly Working"
  </Location>

  RewriteCond %{REQUEST_URI} "^/web/.*"
  RewriteCond %{HTTP_REFERER} "http://.*/([a-zA-Z0-9_\.\-]*)/([0-9]*)/.*"
  RewriteRule (.*) https://%1:%2/$1 [P]

  RewriteCond %{REQUEST_URI} "^/([a-zA-Z0-9_\.\-]*)/([0-9]*)/(.*)"
  RewriteRule ".*" https://%1:%2/%3 [P]

  <LocationMatch "^/(?<host>[a-zA-Z0-9_\.\-]*)/(?<port>[0-9]*)/(?<path>.*)">
    ProxyPassReverse "https://%{env:MATCH_HOST}:%{env:MATCH_PORT}/%{env:MATCH_PATH}"
  </LocationMatch>

  # Enable proxying to https://
  SSLProxyEngine On
  # Allow Proxying to https without valid cert
  SSLProxyVerify none
  # Disable CN Checking on the Certs
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  # Disable Cert Expiry Check
  SSLProxyCheckPeerExpire off

  # Extra Logging
  #LogLevel debug rewrite:trace8
  CustomLog "/var/log/apache2/domain.com_log" "%h"
  ErrorLog "/var/log/apache2/domain.com_error
</VirtualHost>

然后我想起了一个愚蠢的Referrer标题,因为如果一个CSS文件请求另一个CSS文件,或者例如一个图像,那么推荐者没有按预期设置:facepalm:

相关问题
最新问题