Reverse proxy in Apache + CentOS for HTTPS requests to PostgREST webserver - apache

I would like to make https requests to my postgREST webserver, which by design doesn't support https. I spend several days now I don't know any further...
My setup
My server is running on CentOS 7.9.2009
I have a website domain that uses Wordpress to serve my content in home/myuser/public_html
I setup PostgREST 7.0.1 on my server which runs on port 3000
I am running Apache/2.4.51 (cPanel)
My Problem
The following request works just fine: http://my-domain.com:3000/my_db_table
I would like to run the same request like: https://my-domain.com/api/my_db_table
My Apache configuration is in an "includes" file, seems to be loaded (as errors occur when I put wrong syntax intentionally in this file) and it looks like this:
<VirtualHost *:443>
DocumentRoot /
ServerName my-domain.com
ServerAlias my-domain
ErrorLog /home/myuser/public_html/api/error.log
CustomLog /home/myuser/public_html/api/access.log combined
SSLEngine on
SSLUseStapling off
SSLCertificateFile /etc/ssl/certs/server.my-domain.com.crt
SSLCertificateKeyFile /etc/ssl/private/server.my-domain.com.key
<Location /api/ >
ProxyPreserveHost On
ProxyPass http://localhost:3000/
ProxyPassReverse http://localhost:3000/
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"
</Location>
</VirtualHost>
running httpd -t returns Syntax OK
after my changes I run sudo systemctl restart httpd
when I then try to do a request like curl -i https://my-domain.com/api/my_db_table I am redirected to the 404 page of my Wordpress website
the error.log file of my apache config does not include any errors (it included errors for stapling which I resolved by adding the line SSLUseStapling off in my config)
I don't know what to do anymore. And because I don't have any error logs I even don't know how to start debugging it. I would be happy for any hint somebody could provide me.

I have successfully use https with postgrest and the following settings in the virtuahost section but I didn't use the tag.
ProxyHTMLEnable On
ProxyPreserveHost On
SSLEngine on
SSLProxyEngine On
RewriteEngine on
#Proxy for postgrest api
ProxyPassMatch "/api/(.*)" "http://localhost:3000/$1"
ProxyPassReverse "/api/" "http://localhost:3000/"

Related

Apache ProxyPass HTTP does not work with SSL

I was trying to add cloudflare SSL certification to the website I host locally, and force HTTPS for all users.
Connecting to IP:80 works fine (from inside my network). IP:443 fails as it expects a SSL certificate. Accessing domainname.com tells me the site is secure, so the SSL certificate works. But whenever I access it this way, the proxy website doesn't, displaying the 'Apache2 Default Page'. Same with connecting to IP:80 outside the network, it fails to proxy pass.
This is the config file I have setup, and by running apachectl -S I checked that no other rules exist.
<VirtualHost *:80>
ServerName name.com:80
ProxyPreserveHost On
ProxyPass / http://localhost:7000/
ProxyPassReverse / http://localhost:7000/
</VirtualHost>
<VirtualHost *:443>
ServerName name.com:443
SSLEngine on
SSLCertificateFile /etc/cloudflare/name.com.pem
SSLCertificateKeyFile /etc/cloudflare/name.com.key
ProxyPreserveHost On
ProxyPass / http://localhost:7000/
ProxyPassReverse / http://localhost:7000/
</VirtualHost>
Is this because I am trying to load an http website, even though it is local? And if this is true, how else can I solve this problem? I feel so close, thanks for the help.
I solved it, by switching to the default-ssl config file provided with Apache2, and removing my version the issue resolved itself. Not sure why it worked the second time I tried it but oh well.

Reverse proxy an http:// domain to a GitHub Pages URL

I have a URL, http://example.com, that I would like to use to serve content from my GitHub Pages site at https://myusername.github.io/mysite/ via a reverse proxy in Apache. This is both as a temporary workaround until I update example.com's DNS setting to point to GitHub Pages, as well as to teach myself how reverse proxies work.
I have my Apache config like so:
<VirtualHost *:80>
ServerName example.com
SSLEngine On
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
ProxyPass "/" "https://myusername.github.io/mysite/"
</VirtualHost>
When I try to go to "example.com", I get "The proxy server could not handle the request GET /.
Reason: Error during SSL Handshake with remote server."
Is what I'm trying to do possible, and if so, what should I be changing?
I'm using Apache 2.2.
You should probably remove the line:
SSLEngine On
It enables HTTPS on your port 80... but you don't provide an SSL certificate (...and HTTPS uses port 443).
You should also add the line:
ProxyPassReverse "/" "https://myusername.github.io/mysite/"
The following config works perfectly on reverse proxy github pages
<VirtualHost *:80>
ServerName custom-domain
ServerAdmin encycode#gmail.com
ProxyRequests Off
ProxyPreserveHost On
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
RequestHeader set Host "myusername.github.io"
RequestHeader set X-Forwarded-Proto https
RequestHeader set Origin "myusername.github.io"
ProxyPass / https://myusername.github.io/mysite/
ProxyPassReverse / https://myusername.github.io/mysite/
</VirtualHost>
Make sure you replace myusername with your github username, mysite with your github repo name and custom-domain with your custom url
You don't have to implement a reverse proxy yourself, since Github allows you to specify a custom domain
https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-
pages-site

Apache reverse proxy by HTTP/2 will lost MIME-type and use default

English is not my native language, please excuse typing errors.
I configure Apache reverse proxy as follow, and it works fire.
ProxyRequests Off
SSLEngine On
SSLProxyEngine On
ProxyPass / https://example.com/
ProxyPassReverse / https://example.com/
And my website (PHP) support HTTP/2, so I want to proxy it by HTTP/2.
I enable mod_proxy, mod_proxy_http, mod_ssl, mod_http2, mod_proxy_http2 and others some modules. And set .php MIME-type as application/x-httpd-php.
AddType application/x-httpd-php .php
VirtualHost is follow:
<VirtualHost *:443>
DocumentRoot "/path/to/wwwroot/"
ServerName localhost:443
ProxyRequests Off
SSLEngine On
SSLProxyEngine On
ProxyPass / h2://example.com/
ProxyPassReverse / https://example.com/
# Cert
SSLCertificateFile ...
SSLCertificateKeyFile ...
</VirtualHost>
The different is ProxyPass / https://example.com/ to ProxyPass / h2://example.com/.
Response header Content-Type in Browser always get default MIME-type.
You can find example at phpMyAdmin Demo, filter whitelist.php in DevTools, this file Content-Type is text/javascript.
Proxy it by HTTP/2, the Content-Type
become application/x-httpd-php, it lost source MIME-type text/javascript.
And proxy it by HTTP/1.1, it works well.
How can I reslove this problem?
Thank you.
It’s an old question but I ran with same problem and decide to investigate.
I found a bug in http2 proxy.
It will be fixed in next HTTPD release (2.4.55)
Virtual Host file configuration:
<VirtualHost *:443>
ServerAdmin admin#test.com
ServerName example.com
ServerAlias www.example.com
ssl_certificate .....
ssl_certificate_key ..........
ProxyRequests Off Order deny, allow Allow from all
<Location />
ProxyPass http://example.com:8000/
ProxyPassReverse http://example.com:8000/
</Location>
</VirtualHost>
Next we need to enable a few Apache modules. To do this, issue the following commands:
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_balancer
sudo a2enmod lbmethod_byrequests
Apache will now need to be restarted with the command:
sudo service apache2 restart

Apache web server configuration - HTTP to HTTPS not working

I've been at this for two weeks now and still nothing. What's even odd is I've done this on a different server and it worked so I don't understand why this isn't working. Really frustrated here.
I'm trying to configure my apache web server on my RHEL so that HTTP requests are redirected to HTTPS when then points to my tomcat.
This is my configuration:
<VirtualHost *:80>
ServerName server.com
Redirect / https://server.com/
</VirtualHost>
<VirtualHost *:443>
ServerName server.com
ServerAlias www.server.com
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/pki/tls/certs/cert.cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/key.key.pem
#SSLCACertificateFile /etc/pki/tls/certs/ca-chain.cert.pem
</VirtualHost>
Believe me when I say I have tried so many different combinations yet nothing. I have commented and un-commented the Include conf.d/ssl.conf, still no effect.
Please, what am I doing wrong here?
First of all: "isn't working" is quite a weak description. I might or might not hit what your problem is, but I see several options:
First: Test if the forward works
Second: What's the result when you're connecting to the https server? You can try this without the forward - just type the https protocol yourself and figure out if you can rule out the forward configuration completely.
I've done this on a different server and it worked
You're forwarding to localhost:8080. If that other server had tomcat installed (and running) on port 8080, but the one that you're trying now doesn't - well, here's your solution. localhost is always "the same" computer.
As Ortomala Lokni mentions in a comment: Your ProxyPassReverse directive is lacking a /:
ProxyPassReverse / http://localhost:8080/
Note that with this configuration, tomcat will not know that the original request has been sent through https - thus any CONFIDENTIAL declaration on tomcat assumes that the request has been sent in the clear - and it will try to redirect to https. As the ProxyPass still forwards through http, Tomcat will never know that the request actually was encrypted. There are hacks to work around this (e.g. secure="true" on the connector configuration) or more proper solution (like forwarding through AJP instead of http)
ProxyPass / ajp://localhost:8009/
(notice the changed port)
There's potential for more going wrong - in case these hints don't help, please specify "isn't working" more.
thanks ever so much! Especially you, Olaf Kock. Your suggestion was golden! Just like you suggested, I decided to forget about the forwarding and focus on what happens when I try connecting to the HTTPS directly, and that's when I came across this error:
proxy: HTTP: disabled connection for (localhost)
I did a little search and found out that I had to run this command to get things rolling: /usr/sbin/setsebool -P httpd_can_network_connect 1
(Note, there are other variations of this command, like: setsebool -P httpd_can_network_connect on or sudo setsebool -P httpd_can_network_connect on)
Then I had to setup these in the ssl.conf file under the <VirtualHost _default_:443> tag:
ServerName server.com
ServerAlias www.server.com
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
And it worked!
However, I didn't want to have to reference the ssl.conf file. I wanted everything in the httpd.conf file, and so after tinkering a bit, this is what worked for me, and I believe should work for anyone with a similar problem.
So, after commenting out the include conf.d/ssl.conf line
LoadModule ssl_module modules/mod_ssl.so
Listen 443
#For HTTP requests, redirecting to HTTPS
<VirtualHost *:80>
ServerName server.com
Redirect / https://server.com/
</VirtualHost>
#For HTTPS requests
<VirtualHost *:443>
ServerName server.com
ServerAlias www.server.com
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/cert.cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/key.key.pem
#SSLCACertificateFile /etc/pki/tls/certs/ca-chain.cert.pem
</VirtualHost>
Obviously, you should have installed your mod_ssl in the first place.
Thanks everyone!

apache 2 proxypassreverse appends virtualhost port

I have been trying to setup a reverse proxy using apache 2 mod_proxy and the proxypass & proxypassreverse directives.
I am installing WSO2 Identity Server and wish to access that app using a url such as the following .
hxxp://myserver.domain.com/wso2/
The myserver.domain.com is accessible on the internet
Internally on my network I have set up a virtualhost running in my apache2 configuration with the following parameters:
For various reasons, port 80 is unavailable and the virtualhost must stay as :8080.
Finally, here is my virtual host configuration
<VirtualHost *:8080>
<Location /wso2/>
ProxyPass hxxps://internal.wso2.node:9443/
ProxyPassReverse hxxs://internal.wso2.node:9443/
</Location>
ProxyVia On
ProxyPreserveHost Off
ProxyAddHeaders Off
ProxyRequests Off
SSLProxyEngine On
SSLProxyCheckPeerCN Off
</VirtualHost>
The issue:
I can use my web browser ( Firefox/Chrome) to request the http://myserver.domain.com/wso2/ resource. In my log files I see that the request does hit the apache server and the virtualhost catches the /wso2/ location.
It passes through the proxy and lands on the internal.wso2.node server. however, the product WSO2 IS preforms several redirects which, in the log files I see it requesting the resource with the port appended.
Here is the request flow
hxxp://myserver.domain.com/wso2/ -> hxxps://internal.wso2.node:9443/
REDIRECT x3
hxxps://internal.wso2.node:8080/carbon ->
hxxps://internal.wso2.node:8080/carbon/admin/login.jsp
Back to my web browser
hxxp://myserver.domain.com:8080/wso2/carbon/admin/login.jsp
For some reason the apache response back appends its virtual host to the url I am requesting.
If I remove the port:8080 and request again the full url it will access the resource fine. However any attempt to access using only http://myserver.domain.com/wso2/ will result in redirects and the port appended.
As per covener's suggestion the culprit in this case proved to be the following directives:
UseCanonicalName Off
UseCanonicalPhysicalPort Off
Additionally, the web app I am trying to access makes use of sessions and cookies, therefore we must also proxy those, see the added directives under the ProxyPass & ProxyPassReverse.
Therefore the updated virtualhost configuration file should now look like this
<VirtualHost *:8080>
ServerName: myServer.domain.com
UseCanonicalName Off
UseCanonicalPhysicalPort Off
<Location /wso2/>
ProxyPass hxxps://internal.wso2.node:9443/
ProxyPassReverse hxxs://internal.wso2.node:9443/
ProxyPassReverseCookiePath / /wso2/
ProxyPassReverseCookieDomain internal.wso2.node myserver.domain.com
</Location>
ProxyVia On
ProxyPreserveHost Off
ProxyAddHeaders Off
ProxyRequests Off
SSLProxyEngine On
SSLProxyCheckPeerCN Off
</VirtualHost>