Cloud Connected

Thoughts and Ideas from the Gitana Development Team

Dynamic ProxyPassReverseCookieDomain with Apache 2

We do a lot of HTML5 and JavaScript application hosting at Cloud CMS.  Our platform lets you build HTML5 applications and deploy them to our cloud infrastructure with just a couple of clicks.  As a result, we’ve gotten pretty friendly with Apache 2, virtual hosts, mod_rewrite, proxies and more.

Applications built on our platform use OAuth2 over SSL.  We support all of the authentication flows even for HTML5/JS applications.  Inherently, these applications are considered “untrusted” in any two-legged flow (such as username/password).  And with good reason - it’s simply impossible to store private information within the browser.

Heck, even your aunt Mildred could “view source” and poke around to find passwords, ids or other important “private” things sitting in your source code.  Plus, anything you put into source could be cached.  Searched.  And made public.  How ‘bout them apples?

With Cloud CMS powered apps, we recommend using a three-legged OAuth2 flow for all HTML5 and JS applications.  With a three-legged flow, the application never “sees” your private credentials at all.  There’s a bit more hopping around but, for the most part, it’s totally seamless for the end user.


Might resemble your aunt Mildred

Cloud CMS goes a step further and gives you some security enhancements that you can use for two-legged scenarios.  For one, we let you dynamically configure your domains so that you can lock down exactly which hosts are allowed to authorize.  You can also do things like create secondary client and user key/password credentials.  If a pair goes awry, you can shut them down and issue new ones.  Wallah!

A lot of these security enhancements are built around the ability for users to deploy Cloud CMS backed applications to new domains quickly.  Setting up web servers is an art and often takes a good deal of man power.  Thus, we’ve built out a fully dynamic solution that uses Apache 2, mod_rewrite and proxies.

As you might guess, we use a wildcard SSL and virtual host configuration.  One of the things we need to do is hand off requests from the HTML5 app through a proxy back to our content management API.  Our API handles the request and responds.  On the way back out, all cookies need to be mapped into the domain of the browser.

It turns out this isn’t the most intuitive thing with Apache 2 to do.  The ProxyPassReverseCookieDomain directive is good but it doesn’t support dynamic variables straight away.  In our case, we have a wild card virtual host and we’d like to be able to tell certain Set-Cookie headers to swap their domains for our selected wildcard match.  How does one do this?


mod_rewrite: first to Alpha Centauri

Our solution was to use mod_rewrite to set an Apache environment variable.  Interesting, eh?  Not exactly what mod_rewrite was intended for (perhaps).  But frankly, mod_rewrite seems like one of those plugins that can do just about anything in the universe.  I am sure when they get to Alpha Centauri, they will discover that mod_rewrite was there first.

I digress.  So we use mod_rewrite to copy the ${HTTP_HOST} variable into an environment variable.  And then we use the proxy pass interpolate feature to plug the environment variable into the cookie.

It looks like this:

 
 <VirtualHost *:80> 
 ServerName *.wassup.com
 DocumentRoot "/apps"

 ...

 # Use Mod-Rewrite to copy %{HTTP_HOST} into 
 # an Apache environment variable called "host"
 RewriteEngine On
 RewriteRule .* - [E=host:%{HTTP_HOST}]

 # Stop! Proxy Time!
 ProxyRequests Off
 ProxyPassInterpolateEnv On
 ProxyPass /proxy http://localhost:8080 interpolate
 ProxyPassReverse /proxy http://localhost:8080 interpolate
 ProxyPassReverseCookieDomain localhost ${host} interpolate

 ...

 </VirtualHost>

Hopefully this proves useful for others.  If you’re interested in learning more about Cloud CMS, just hop on over to our site at http://www.cloudcms.com and sign up for an account.  

We’ll post more cool tips as we find them!