0

In order to cope with same-origins policy for AJAX calls I want to allow for mod_rewrite and mod_proxy to handle these calls in a similar way as described in another answer:

rewriteEngine on
rewriteRule proxy/(.+)$ http://api.example.com/$1 [P]

However, I am reading all through the web that the use of mod_proxy can be a risky business.

So my question is: Are there any security concerns about enabling mod_proxy and using it in the way given above? If so, what configuration should I choose to use a mod_proxy gateway in a safe way?

Thanks, any help is appreciated.

PS: And yes, I am aware that CORS is a more reasonable way to solve the same-origins problem, but the remote site I am working with is a little bit reluctant to support CORS, so I have to look for alternatives.

Community
  • 1
MRA
  • 307
  • 1
  • 2
  • 8
  • It's a risk if you don't secure it properly, but it can be used in the way you describe. – Nathan C Sep 04 '13 at 11:24
  • So the remote site has an API but doesn't want you to use it? How ridiculous. – Michael Hampton Sep 04 '13 at 16:08
  • Well, technically it is a public API, but we are still in the mids of the process of catching up on some developments of the past years that have been missed. And CORS is not their top priority at the moment, while I in the mean time have to get my prototype running, somehow. I know, it is not ideal, but there is only so much I can do about it ... – MRA Sep 04 '13 at 16:42

1 Answers1

1

be sure to have ProxyRequests Offto prevent misusing your server as an open proxy; from the docs:

ProxyRequests Directive

Description:  Enables forward (standard) proxy requests
Syntax:       ProxyRequests On|Off
Default:      ProxyRequests Off
Context:      server config, virtual host

This allows or prevents Apache from functioning 
as a forward proxy server. (Setting ProxyRequests to Off 
does not disable use of the ProxyPass directive.)

In a typical reverse proxy or gateway configuration, 
this option should be set to Off.

regarding security-concerns: you'll see all requests in your logs, so make sure they are protected and doesnt contain "interesting" informations like tokens or other stuff that might be used to gain unauthorized access.

that guy from over there
  • 1,355
  • 10
  • 11