Forum

I have some simple web services (elog, roundup, fossil) that I want to run behind hiawatha.
I want to limit what hosts can connect to the reverse proxy and in one case add
a password requirement enforced by hiawatha before the service.

I have only a single DNS name on which to run it, so I can't have multiple virtual hosts.

Basically I am looking for a way to set up access controls available to directories for the reverse proxy.

Since I have different access lists/passwords for the different proxys, so I can't set it
at the virtual host level.

Is there any solution to this issue?

To limit what hosts can connect, use the AccessList option.

Have you given the ReverseProxy option already a try?

Is it possible to use the port (like 8080 or 8888) for different virtualhosts using the same IP address or even hostname?

Yes, use the BindingID and RequiredBinding options for that.

Hi Hugo:

I only want some of the reverse proxy's to have an access list not all.

There is no way that I know of to have two different access lists for 2 different
reverse proxies in a single virtual host.

I really wish I could define a

reverseproxy {
    proxyid = elog
    path =  /elog
    strip = 1
    target = http://127.0.0.01:8082/
    timeout = 60
    keepalive = yes
    accesslist = deny 172.25.1.1/28, pwd 172.25.0.0/16, deny all
    passwordfile = /protect/passwords
}

and then in the virtualhost use:

virtualhost {
   ...
 # configure for foswiki
 UseToolkit = foswiki
 Alias = /foswiki/bin:/tools/foswiki/bin
 Alias = /foswiki/pub:/tools/foswiki/pub
 Alias = /foswiki/robots.txt:/tools/foswiki/robots.txt
 # configure for elog
 UseToolkit = elog
 use ReverseProxy elog

 UseToolkit = fossil
 useReversProxy fossil

 usetoolkit roundup                                                                        
 usereverseproxy = roundup
  ... 30 other directives removed
}

similar to how directory stanzas are configured.

Joe Schmoe abut a year ago I tried to set up reverse proxy's by looping back into
hiawatha on different ports with different virtual hostnames. Hiawatha detected it
as an infinite loop and dropped connections.

See the 7 June 2015 post on: https://www.hiawatha-webserver.org/forum/topic/1967

Hugo does the use of the BindingId and RequiredBinding change the X-Hiawatha-RProxy-ID value
so that rproxy.c::rproxy_loop_detected() doesn't detect a loop when I proxy back through
a running hiawatha?

If so then that sounds like it would work. I just create a new
virtual host stanza with a binding of 127.0.0.1 and different ports. Then set the accesslist and passwordfile for the virtual host and use that host for exactly one reverse proxy.

Does that sounds like it would work?

-- rouilj

No, that won't work with Hiawatha. My advice, buy a cheap domain name and make some hostnames in it. Will also solve a lot of other issues.

That's something more to maintain and pay for, additional costs will probably scuttle the whole thing.

Would you be open to the idea of adding a counter to the rproxy header?
This is the same idea as a TTL in the IP protocol.

Every time hiawatha sees a matching rproxy_id it scans the string to find the integer value.
If the value exceeds some number, it reports a loop and doesn't forward the connection.
Otherwise it increments the counter and generates the next rproxy request. In my case a limit
of 2 would work fine.

Also I tried another way to meet the requirements. Have the internet facing haiwatha proxy to a second hiawatha.

The config file for the second hiawatha binds a specific port on the loopback address.
Then the binding id is used to bind a specific port to a VirtualHost. In the virtual
host I set AccessList and PasswordFile. Should this work? I spent an hour on it and never did manage to get it working reliably.

Ok,I see how the loop detection is coded, without some major changes the TTL idea won't work.
Too bad.

But I think the second hiawatha should work right?

A domain costs about $10 a year and only requires setting hostnames once. I have multiple domains and they don't require any maintenance. You are trying to make it work with a whole lot of technical trickery, just to save $10 a year. I advice you to rethink this.