0

In a setting of apache + mod_wsgi and nginx + uwsgi, what could be the way to setup web-server to proxy big "intranet" files requests?

What I am thinking about is a way a la x-sendfile, but where the wsgi application points to a file URL "intranet" location in its response, web-server downloads and uploads the file to the original requester without revealing it's "intranet" location. Of course, nothing happens if there is no authentication and access rights check on wsgi application side.

It's very hard to find this kind of setup by googling, not even sure what term to use.

By "intranet" I mean files, accessible via HTTPS requests from the proxy server, which may have its own credentials to them, but not from public internet or by local filesystem (like is the use case with x-sendfile)

Roman Susi
  • 4,135
  • 2
  • 32
  • 47

1 Answers1

1

If using mod_wsgi in daemon mode, you can return an empty HTTP 200 response with Location response header and when that is seen by the Apache process proxying to the mod_wsgi daemon process, it will evaluate that as a sub request. The path in that could be mapped to a new URL handler in Apache configuration which is actually a proxy setup which sends the request to another downstream backend server. The response from that will then be proxied back to the client. If you don't want that secondary URL handler to be visible outside, ie., someone can't request it direct if they work out the URL path, you need to use a mod_rewrite rule to reject any request if it isn't a sub request.

So you might have something like:

RewriteCond %{IS_SUBREQ} false
RewriteRule ^/hidden/stuff/ - [F]

ProxyPass /hidden/stuff/ http://backend.example.com/

The WGSI response would then be empty HTTP 200 response with Location header of:

Location: /hidden/stuff/some-file-name

The sub request request would end up being:

http://backend.example.com/some-file-name

against backend server with response proxied back to client.

Graham Dumpleton
  • 57,726
  • 6
  • 119
  • 134
  • Can't get it to work. Client (browser) gets the Location header instead of Apache intercepting it during the first request. Something is probably missing. – Roman Susi Jun 18 '19 at 12:05
  • Are you using mod_wsgi? Is your WSGI application generating the `Location` header and returning 200 response with no body? Are you absolutely sure you are using daemon mode properly? Quite often see people who think they are using daemon mode and got config wrong and so aren't. Note that daemon mode isn't available on Windows either. See https://modwsgi.readthedocs.io/en/develop/user-guides/checking-your-installation.html#embedded-or-daemon-mode – Graham Dumpleton Jun 18 '19 at 13:49
  • Yes, I am almost sure of those things. (daemon mode - assuming WSGIDaemonProcess directive tells it). Not on Windows. The idea is that browser side never see the path in `Location:`. The question is: should backend.example.com be configured in the same apache? What if it is external service? – Roman Susi Jun 18 '19 at 14:03
  • 1
    `WSGIDaemonProcess` is not enough. You need to be delegating to the process group using `WSGIProcessGroup` or `process-group` option to `WSGIScriptAlias`. This is what people forget to add sometimes. Use the check in that docs to confirm you have it correct. – Graham Dumpleton Jun 19 '19 at 00:11