I don't think 2.0 has any specific options for not passing specific cookies through. I'm not sure how easy it would be. Looking at a tcpdump of port80 traffic, it doesn't look like the request passes the domain back.
I guess the only way would be for the site admin to explitly block a cookie, but I don't belive that option exists at the moment, and I can't think of a workaround via rewrite.
Sorry Ken.
ps.. if this is really really big pain for you, we could add a directive to mask cookies but It would probably end up in the standard 2.0 distribution, not 1.3
--ian
Mathias Herberts wrote:
Humm second thought, we are not running the same config, no auth is done
on our reverse proxies, and I personnaly think this is not the place for
auth as reverse proxies should really be transparent.
I guess the actual mod_proxy code will not enable you to fix your problem. Maybe Apache 2.0 has more features for tweaking headers.
Regards,
Mathias.
Weiss, Ken wrote:
I have configured Apache 1.3.27 to operate as a reverse proxy. My
proxy runs
on proxybox.schwab.com. I have a content server sitting behind it, content.schwab.com. I can access the following URL, and it works
perfectly:
http://proxybox.schwab.com/content
<http://proxybox.schwab.com/content>
I get the content that is sitting on content.schwab.com. So all the
reverse
proxy stuff is working fine.
Here's my problem. I use a cookie to authenticate people to proxybox.schwab.com. This cookie has a domain of .proxybox.schwab.com,
so it
should only be presented to that specific host. Web servers running on
any
other host should not be able to see this cookie. But, I can see the
cookie
on content.schwab.com.
It appears that mod_proxy passes all headers, including cookies with
very
restrictive domains, to the content servers. Even though the cookie
has a
domain set that should prevent it from going to any other servers, it
still
gets passed along.
Is there any way to configure mod_proxy so it will stop doing this? Is
there
any way to modify mod_proxy to filter a specific cookie from the
header
before passing the request to the content server?
--Ken
---------------------------------------------------------------
Ken Weiss [EMAIL PROTECTED]
Directory Services 415-667-1424 (voice)
Charles Schwab & Co. 415-786-1545 (cell)
SF211MN-10-353 415-667-1797 (fax)
101 Montgomery St.
San Francisco, CA 94104
WARNING: All email sent to this address will be received by the
Charles
Schwab & Co., Inc. corporate email system and is subject to archival
and
review by someone other than the recipient.
