Cookie spoof

Peter Schober peter.schober at
Tue Nov 12 09:11:07 EST 2019

* Stopinski, Thomas Thaddäus <thstopinski at> [2019-11-11 23:40]:
> In our believe we need the rewrite rule because, we want all traffic
> to go over a secure SSL connection.

A redirect directive in the non-TLS vhost should suffice:

  Redirect / https://${vhost}/

> As I was trying to describe in my initial mail, we have the SP and
> the Webapp running on two different machines. Even more, we run them
> in different domains.

Well, this is an except from the config you sent:

<VirtualHost *:443>
    UseCanonicalName On                                                                         
    # [...]    
    ProxyPass /
    ProxyPassReverse /

There the (local) ServerName and the (remote) proxied resource name
are represented by the same string. So did you simply mess up the
pseudonymization of the hosts when writing that email (and those
directives actually reference different server names) or is that a
fair representation of your configuration?

If the latter ServerName should be set to a name that maps (in DNS and
local configuration) to the proxy itself, and the ProxyPass(Reverse)
directices should point to the internal name of the proxied resource
server, which should never be accessed nor be accessible other than
going through the proxy. As such it doesn't even need a name in DNS.
(Though that might make things slightly easier wrt TLS client
configuration to the proxied resource.)


More information about the users mailing list