[mod_python] Cookies & mod_rewrite

Deron Meranda deron.meranda at gmail.com
Tue Sep 26 17:02:40 EDT 2006

On 9/20/06, CARTWRIGHT, Guy, GBM <Guy.CARTWRIGHT at rbos.com> wrote:
> >  From memory, you can set req.headers_in and it will go
> > through to backend via proxy. Give it a try anyway. Simply go:
> >    req.headers_in['X-MyHeader'] = 'test'
> > and see if it gets through.
> No luck with the above, or with:
>     req.headers_out['X-MyHeader'] = 'test'

Hmm, setting req.headers_in should allow you to pass additional
headers onto the reverse proxied "backend" server.  It does need
to be in an early phase, such as fixups or access.  Remember that
you are modifying (or adding to) the client's headers on their
way into the request, hence the headers_in instead of headers_out.

Be aware that some special headers will be filtered out though by the
mod_proxy handler, such as proxy related or headers like Max-Forwards,
Via, X-Forwarded-*, or any hop-specific headers such as Connection or
Transfer-Encoding.  But all other non-special headers should be passed
through.  mod_proxy can be configured to do some URL munging though,
so check if you have any ProxyPassReverseCookie* directives.

I can definitely get synthetic cookies working with just plain mod_proxy
using the ProxyPass directive, such as:

<Location /proxytest>
    PythonAccessHandler myproxymod::revproxyhandler
    PythonDebug On
    ProxyPass http://my.backend.server/content

And my handler code is just:
  def revproxyhandler(req):
      req.headers_in['X-This-Is-A-Test'] = 'Hello'
      return apache.OK

You can of course use an Auth* handler, Fixup, etc. as long as it's
before the main request processing phase (and after mapping or
storage phases).

I can't seem to get mod_rewrite's [P] flag to work currently though.
But I'm sure I just don't understand mod_rewrite well enough.

Just curious--why you are using mod_rewrite in this case
since mod_proxy should be sufficient (you're not really using
any regex functionality).

> but the following does work and gets passed through to the back-end
> server...
>     req.err_headers_out['X-MyHeader'] = 'test'
>     return apache.OK
> Weird...

Can't explain that one either!

Also just a few notes on security.  I assume your backend server
is checking it's authentication by looking for this cookie.  And your
front-end proxy server is doing NTLM and synthetically creating
that cookie.

Realize that this cookie should be "private" between your webserver
and the backend server.  At a minimum you should make sure that
the browser can never send this cookie in a Cookie header.  So you
should probably always delete it from the req.headers_in.
Deron Meranda

More information about the Mod_python mailing list