From faeda1ab850f11da0ed7df4fac985ff9e96454b3 Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Mon, 6 Apr 2020 14:59:20 -0700 Subject: [PATCH] Don't proxy urls that don't appear in the map If a rewritemap fails to find a URL, mod_rewrite will nonetheless continue to attempt to proxy the request; if the request has a hostname in the URI (as it would if it were being used as a forward proxy), then it will proxy to that URI. The upshot is that this was behaving as an open proxy for any URL that it didn't know about. Correct this by "proxying" to http://localhost/notfound in all cases where the map program fails, and then cause that URL to always fail with a 403. This seems a little Rube Goldberg, but I don't see another way to deal with map failures in a rewriterule proxy. Change-Id: I1fdace79b6059c0297dd27b6bc9ce0afa9fe1396 --- vhost.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vhost.conf b/vhost.conf index 0bdc5c7..d295c6c 100644 --- a/vhost.conf +++ b/vhost.conf @@ -7,5 +7,6 @@ # LogLevel alert rewrite:trace6 RewriteEngine On RewriteMap preview "prg://usr/local/bin/zuul-preview" - RewriteRule "^/?(.*)$" "${preview:%{ENV:ZUUL_API_URL} %{HTTP_HOST}}/$1" [P] + RewriteRule "^/notfound" "-" [F] + RewriteRule "^/?(.*)$" "${preview:%{ENV:ZUUL_API_URL} %{HTTP_HOST}|http://localhost/notfound}/$1" [P]