Cross-site scripting Apache work around
From STIQ
Using Apache mod_proxy to Avoid Cross-site Permissions Issues in STIQ
Contents |
Introduction:
STIQ is designed to test a web application in a browser window. This works great if both STIQ and the application reside on the same host. If STIQ runs on a host that is different than the web application, the browsers security restrictions can cause problems.
To work around these problems, an Apache mod_proxy can be setup on the host that is running STIQ. All STIQ configurations will point to the local host but the Apache mod_proxy configuration will redirect this to the application's host.
With this setup, the application being tested can be run on any host, any where.
The diagram show's 3 web server: - Tomcat running STIQ - Apache running mod_proxy - Tomcat running the web application
Downloading Apache:
• Apache can be downloaded from: http://apache.org/
(Currently there is a Download link in the upper right hand corner.)
• Once a mirror has been selected, browse to the httpd folder.
• Click Binary Releases link
• Click binaries/ link
• Click win32 link
• Select the latest (currently: apache_2.2.10-win32-x86-openssl-0.9.8i.msi) and click to download
(Locally Apache can be retrieved from: P:\Software\Apache)
Installing Apache:
Double click on the msi file downloaded above. Accept the defaults except when asked for the path. Change the path to C:\Apache2.2. There are issues if the path has spaces in it like "Program Files".
Configuring Apache:
The apache configuration file is c:\Apache2.2\conf\httpd.conf.
There are three parts to configure: the port Apache listens on, the modules Apache needs for mod_proxy, and the proxy configuration. Edit the apache httpd.conf as follows
Listen Port
- The apache server can run on any port, 7777 was chosen in this case to avoid conflicts.
- Change the Listen line to:
Listen 7777
Modules Section
- The solution requires these modules, make sure they are uncommented.
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule rewrite_module modules/mod_rewrite.so
Proxy configuration
- Configure the proxy by adding these lines after the "LoadModule" section.
############################################# #this configuration assumes STIQ and the application under test reside on the same box #application is /yourapp #change /yourapp to your application URL # Proxy configuration for STIQ ProxyPass /stiq http://localhost:9999/stiq ProxyPassReverse /stiq http://localhost:9999/stiq ProxyPass /files http://localhost:9999/files ProxyPassReverse /files http://localhost:9999/files ProxyPass /STIQResults http://localhost:9999/STIQResults ProxyPassReverse /STIQResults http://localhost:9999/STIQResults #if the application is on a different host, change localhost on in all lines below #to the correct host ProxyPass /yourapp http://localhost/yourapp ProxyPassReverse /yourapp http://localhost/yourapp # Proxy configuration for STIQ # Rewrite ProjectRoot, STIQ repository main content page, to STIQ server RewriteEngine On RewriteLog rewrite.log RewriteRule ^/ProjectRoot(.*) http://localhost/ProjectRoot$1 ############################################
Starting and Stopping Apache:
Apache installs the "Monitor Apache Servers" tool in the start menu. Start that utility.
It should add itself to the toolbar.
A single click will open a menu allowing Apache to be started or stopped.
Testing the mod_proxy setup:
- Start the application web sever
- Confirm a browser can directly access the application
- Start Apache
- Confirm a browser pointed to apache (http://localhost:7777) gets the standard Apache web page.
- Confirm a browser pointed to Apache with the application url (http://localhost:7777/yourapp) can get to the
application
- Start STIQ
- Confirm it can connect to Apache and hence the application
Bibliography:
Information used to create this document was retrieved from: http://chrissterling.gettingagile.com/category/dotnet/
Professional Services, SolutionsIQ.com
