📄 mod_proxy.html.en
字号:
<h3><a name="ftppass" id="ftppass">How can I hide the FTP cleartext password
in my browser's URL line?</a></h3>
<p>To log in to an FTP server by username and password, Apache uses
different strategies. In absense of a user name and password in the URL
altogether, Apache sends an anonymous login to the FTP server,
<em>i.e.</em>,</p>
<div class="example"><p><code>
user: anonymous<br />
password: apache_proxy@
</code></p></div>
<p>This works for all popular FTP servers which are configured for
anonymous access.</p>
<p>For a personal login with a specific username, you can embed the user
name into the URL, like in:</p>
<div class="example"><p><code>
ftp://<var>username</var>@<var>host</var>/myfile
</code></p></div>
<p>If the FTP server asks for a password when given this username (which
it should), then Apache will reply with a <code>401</code> (Authorization
required) response, which causes the Browser to pop up the
username/password dialog. Upon entering the password, the connection
attempt is retried, and if successful, the requested resource is
presented. The advantage of this procedure is that your browser does not
display the password in cleartext (which it would if you had used</p>
<div class="example"><p><code>
ftp://<var>username</var>:<var>password</var>@<var>host</var>/myfile
</code></p></div>
<p>in the first place).</p>
<div class="note"><h3>Note</h3>
<p>The password which is transmitted in such a way is not encrypted on
its way. It travels between your browser and the Apache proxy server in
a base64-encoded cleartext string, and between the Apache proxy and the
FTP server as plaintext. You should therefore think twice before
accessing your FTP server via HTTP (or before accessing your personal
files via FTP at all!) When using unsecure channels, an eavesdropper
might intercept your password on its way.</p>
</div>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="startup" id="startup">Slow Startup</a></h2>
<p>If you're using the <code class="directive"><a href="#proxyblock">ProxyBlock</a></code> directive, hostnames' IP addresses are looked up
and cached during startup for later match test. This may take a few
seconds (or more) depending on the speed with which the hostname lookups
occur.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="intranet" id="intranet">Intranet Proxy</a></h2>
<p>An Apache proxy server situated in an intranet needs to forward
external requests through the company's firewall (for this, configure
the <code class="directive"><a href="#proxyremote">ProxyRemote</a></code> directive
to forward the respective <var>scheme</var> to the firewall proxy).
However, when it has to
access resources within the intranet, it can bypass the firewall when
accessing hosts. The <code class="directive"><a href="#noproxy">NoProxy</a></code>
directive is useful for specifying which hosts belong to the intranet and
should be accessed directly.</p>
<p>Users within an intranet tend to omit the local domain name from their
WWW requests, thus requesting "http://somehost/" instead of
<code>http://somehost.example.com/</code>. Some commercial proxy servers
let them get away with this and simply serve the request, implying a
configured local domain. When the <code class="directive"><a href="#proxydomain">ProxyDomain</a></code> directive is used and the server is <a href="#proxyrequests">configured for proxy service</a>, Apache can return
a redirect response and send the client to the correct, fully qualified,
server address. This is the preferred method since the user's bookmark
files will then contain fully qualified hosts.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="envsettings" id="envsettings">Protocol Adjustments</a></h2>
<p>For circumstances where you have a application server which doesn't
implement keepalives or HTTP/1.1 properly, there are 2 environment
variables which when set send a HTTP/1.0 with no keepalive. These are set
via the <code class="directive"><a href="../mod/mod_env.html#setenv">SetEnv</a></code> directive.</p>
<p>These are the <code>force-proxy-request-1.0</code> and
<code>proxy-nokeepalive</code> notes.</p>
<div class="example"><p><code>
<Location /buggyappserver/><br />
<span class="indent">
ProxyPass http://buggyappserver:7001/foo/<br />
SetEnv force-proxy-request-1.0 1<br />
SetEnv proxy-nokeepalive 1<br />
</span>
</Location>
</code></p></div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AllowCONNECT" id="AllowCONNECT">AllowCONNECT</a> <a name="allowconnect" id="allowconnect">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Ports that are allowed to <code>CONNECT</code> through the
proxy</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AllowCONNECT <var>port</var> [<var>port</var>] ...</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AllowCONNECT 443 563</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_proxy</td></tr>
</table>
<p>The <code class="directive">AllowCONNECT</code> directive specifies a list
of port numbers to which the proxy <code>CONNECT</code> method may
connect. Today's browsers use this method when a <code>https</code>
connection is requested and proxy tunneling over HTTP is in effect.</p>
<p>By default, only the default https port (<code>443</code>) and the
default snews port (<code>563</code>) are enabled. Use the
<code class="directive">AllowCONNECT</code> directive to override this default and
allow connections to the listed ports only.</p>
<p>Note that you'll need to have <code class="module"><a href="../mod/mod_proxy_connect.html">mod_proxy_connect</a></code> present
in the server in order to get the support for the <code>CONNECT</code> at
all.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="NoProxy" id="NoProxy">NoProxy</a> <a name="noproxy" id="noproxy">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Hosts, domains, or networks that will be connected to
directly</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>NoProxy <var>host</var> [<var>host</var>] ...</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_proxy</td></tr>
</table>
<p>This directive is only useful for Apache proxy servers within
intranets. The <code class="directive">NoProxy</code> directive specifies a
list of subnets, IP addresses, hosts and/or domains, separated by
spaces. A request to a host which matches one or more of these is
always served directly, without forwarding to the configured
<code class="directive"><a href="#proxyremote">ProxyRemote</a></code> proxy server(s).</p>
<div class="example"><h3>Example</h3><p><code>
ProxyRemote * http://firewall.mycompany.com:81<br />
NoProxy .mycompany.com 192.168.112.0/21
</code></p></div>
<p>The <var>host</var> arguments to the <code class="directive">NoProxy</code>
directive are one of the following type list:</p>
<dl>
<dt><var><a name="domain" id="domain">Domain</a></var></dt>
<dd>
<p>A <dfn>Domain</dfn> is a partially qualified DNS domain name, preceded
by a period. It represents a list of hosts which logically belong to the
same DNS domain or zone (<em>i.e.</em>, the suffixes of the hostnames are
all ending in <var>Domain</var>).</p>
<div class="example"><h3>Examples</h3><p><code>
.com .apache.org.
</code></p></div>
<p>To distinguish <var>Domain</var>s from <var><a href="#hostname">Hostname</a></var>s (both syntactically and semantically; a DNS domain can
have a DNS A record, too!), <var>Domain</var>s are always written with a
leading period.</p>
<div class="note"><h3>Note</h3>
<p>Domain name comparisons are done without regard to the case, and
<var>Domain</var>s are always assumed to be anchored in the root of the
DNS tree, therefore two domains <code>.MyDomain.com</code> and
<code>.mydomain.com.</code> (note the trailing period) are considered
equal. Since a domain comparison does not involve a DNS lookup, it is much
more efficient than subnet comparison.</p>
</div></dd>
<dt><var><a name="subnet" id="subnet">SubNet</a></var></dt>
<dd>
<p>A <dfn>SubNet</dfn> is a partially qualified internet address in
numeric (dotted quad) form, optionally followed by a slash and the netmask,
specified as the number of significant bits in the <var>SubNet</var>. It is
used to represent a subnet of hosts which can be reached over a common
network interface. In the absence of the explicit net mask it is assumed
that omitted (or zero valued) trailing digits specify the mask. (In this
case, the netmask can only be multiples of 8 bits wide.) Examples:</p>
<dl>
<dt><code>192.168</code> or <code>192.168.0.0</code></dt>
<dd>the subnet 192.168.0.0 with an implied netmask of 16 valid bits
(sometimes used in the netmask form <code>255.255.0.0</code>)</dd>
<dt><code>192.168.112.0/21</code></dt>
<dd>the subnet <code>192.168.112.0/21</code> with a netmask of 21
valid bits (also used in the form 255.255.248.0)</dd>
</dl>
<p>As a degenerate case, a <em>SubNet</em> with 32 valid bits is the
equivalent to an <var><a href="#ipadr">IPAddr</a></var>, while a <var>SubNet</var> with zero
valid bits (<em>e.g.</em>, 0.0.0.0/0) is the same as the constant
<var>_Default_</var>, matching any IP address.</p></dd>
<dt><var><a name="ipaddr" id="ipaddr">IPAddr</a></var></dt>
<dd>
<p>A <dfn>IPAddr</dfn> represents a fully qualified internet address in
numeric (dotted quad) form. Usually, this address represents a host, but
there need not necessarily be a DNS domain name connected with the
address.</p>
<div class="example"><h3>Example</h3><p><code>
192.168.123.7
</code></p></div>
<div class="note"><h3>Note</h3>
<p>An <var>IPAddr</var> does not need to be resolved by the DNS system, so
it can result in more effective apache performance.</p>
</div></dd>
<dt><var><a name="hostname" id="hostname">Hostname</a></var></dt>
<dd>
<p>A <dfn>Hostname</dfn> is a fully qualified DNS domain name which can
be resolved to one or more <var><a href="#ipaddr">IPAddrs</a></var> via the
DNS domain name service. It represents a logical host (in contrast to
<var><a href="#domain">Domain</a></var>s, see above) and must be resolvable
to at least one <var><a href="#ipaddr">IPAddr</a></var> (or often to a list
of hosts with different <var><a href="#ipaddr">IPAddr</a></var>s).</p>
<div class="example"><h3>Examples</h3><p><code>
prep.ai.mit.edu<br />
www.apache.org
</code></p></div>
<div class="note"><h3>Note</h3>
<p>In many situations, it is more effective to specify an <var><a href="#ipaddr">IPAddr</a></var> in place of a <var>Hostname</var> since a
DNS lookup can be avoided. Name resolution in Apache can take a remarkable
deal of time when the connection to the name server uses a slow PPP
link.</p>
<p><var>Hostname</var> comparisons are done without regard to the case,
and <var>Hostname</var>s are always assumed to be anchored in the root
of the DNS tree, therefore two hosts <code>WWW.MyDomain.com</code>
and <code>www.mydomain.com.</code> (note the trailing period) are
considered equal.</p>
</div></dd>
</dl>
<h3>See also</h3>
<ul>
<li><a href="../dns-caveats.html">DNS Issues</a></li>
</ul>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="Proxy" id="Proxy"><Proxy></a> <a name="proxy" id="proxy">Directive</a></h2>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -