Apache + SP HTTP reverse proxy to Weblogic

Cantor, Scott cantor.2 at osu.edu
Fri Nov 18 14:57:54 GMT 2011

On 11/18/11 7:09 AM, "Sykes, Andy" <a.sykes at ucl.ac.uk> wrote:
>So I'm left with only a plain old dumb HTTP proxy, which I can't squirt
>env vars through. I can switch to request headers, but that is very much
>frowned upon.

It's frowned on because one way is bulletproof and the other has lots of
caveats. Trying to explain caveats to people tends not to work so well. If
you know enough to ask, you know enough to understand the caveats.

The SP does its own header defensing, but a proxy can't, so you just have
to be darn sure nothing can directly access the WebLogic tier.

Also, AFAIK, the WebLogic proxy module for Apache auto-forwards all
headers. So one option is to use the SetHeader stuff explicitly and stick
with EnvVars with the SP, or you can switch to headers and automate it.

>The NativeSPSpoofChecking page says: "There are no known scenarios in
>which environment variables can't be used, including with Java
>containers, though sometimes extra effort or Apache settings may be
>needed." So I'm trying to establish if just setting headers with
>RequestHeader is sane (which would fit "extra effort or Apache
>settings"), or whether I'm missing something really obvious.

It's sane, but obviously insecure against any sort of client spoofing, as
any proxied server would be.

-- Scott

More information about the users mailing list