Reverseproxy Apache configuration is allowing unwanted traffic through the server - apache

To allow the access to a specific server not publicly available, we've structured an architecture with a Apache webserver exposed on internet, and we would like to configure it as Reverse Proxy to redirect only some requests to the private server.
This is the piece of httpd.conf file:
Listen 5000
<VirtualHost *:5000>
ServerAdmin webmaster#localhost
ServerName servername
ErrorLog /etc/httpd/conf/error.log
#<Location />
# ProxyPass "http://...:5000/"
# ProxyPassReverse "http://...:5000"
# Order allow,deny
# Allow from all
#</Location>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass "/" "http://...:5000/" interpolate connectiontimeout=30 timeout=12000
#RewriteRule ^(.*) "http://...:5000/$1"
#ProxyPassMatch ^(.*) "http://...:5000/$1"
ProxyPassReverse "/" "http://...:5000/"
</VirtualHost>
Whenever we put Listen 5000 a lot of undesired traffic pass through the server to other servers on Internet.
In the code above the commented lines are some of attempts I've done.
What is wrong in the configuration that is not blocking the server to works as proxy for everything?
Thank you in advance for the help

IF you want to deny some paths from being proxied you have to use the "!": here is a link to the documentation explaining how to do it http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass

Related

Apache and 302 redirect issues

I want to temporary bypass a 302 browser redirect by configuring Apache to rewrite all incoming HTTP requests from an external to an internal address before proxy-ing the request to a tomcat server listening on localhost. Reason being that the internal address is not exposed to the user environment. Ultimately the problem should be solved by reconfiguring the application to not redirect the initial browser request to an internal URL for authentication (the OPENAM XUI login page) but for now a workaround is needed.
My first attempt to achieve this was by using the standard ProxyPass and ProxyPassReverse directives but it seems that a 302 redirect request causes the client to break out of the proxy. My hope is now that that with help of the mod_rewrite engine I can make the redirect request not happening by configuring an internal-to-external http-request "translator". Unfortunately all my attempts to achieve such a setup have failed.
Question: is it possible to rewrite all incoming http requests from "https://external.app-server.com/app1/" to "https://internal.app-server.com/app1/" before the request is proxied to a localhost tomcat instance?
My currrently (not working) Apache config:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^https://internal\.app-server\.com
RewriteRule "^/app1(.\*)" http://localhost:8080/app1$1
RewriteRule "^/openam(.\*)" https://localhost:8081/openam$1
SSLProxyEngine on
ProxyPreserveHost off
# ProxyPass /app1 http://localhost:8080/app1/
ProxyPassReverse /app1 http://localhost:8080/app1/
# ProxyPass /openam http://localhost:8081/openam
ProxyPassReverse /openam http://localhost:8081/openam
You will need 2 VirtualHost configurations.
Scenario:
users connect to https://external.example.com/app1
this proxies to https://internal.example.com/app1
this proxies to Tomcat at localhost:PORT
Your Apache configuration could look like:
Listen 443
# Responds to external.example.com requests
<VirtualHost *:443>
ServerName external.example.com
CustomLog "logs/external.access.log" common
ErrorLog "logs/external.error.log"
LogLevel debug
# TODO SSL directives
ProxyPass "/app1" "https://internal.example.com:8080/app1"
ProxyPassReverse "/app1" "https://internal.example.com:8080/app1"
</VirtualHost>
# Responds to internal.example.com requests
<VirtualHost *:443>
ServerName internal.example.com
CustomLog "logs/internal.access.log" common
ErrorLog "logs/internal.error.log"
LogLevel debug
# TODO SSL directives
ProxyPass "/app1" "http://localhost:8080/"
ProxyPassReverse "/app1" "http://localhost:8080/"
</VirtualHost>
Note: modify the port with the real Tomcat port you are using (instead of 8080).
Note 2: split your logs, it makes debugging must easier.
Note 3: can be used in HTML files, not apache configuration.
Note 4: to comment out a configuration line, put #. I do not know what \# does...
OR
If the server that responds to external.example.com and internal.example.com is the same, you can proxy both to tomcat directly.
You would do it like this:
Listen 443
# Responds to external.example.com requests
<VirtualHost *:443>
ServerName external.example.com
CustomLog "logs/external.access.log" common
ErrorLog "logs/external.error.log"
LogLevel debug
# TODO SSL directives
ProxyPass "/app1" "http://localhost:8080/"
ProxyPassReverse "/app1" "http://localhost:8080/"
</VirtualHost>
# Responds to internal.example.com requests
<VirtualHost *:443>
ServerName internal.example.com
CustomLog "logs/internal.access.log" common
ErrorLog "logs/internal.error.log"
LogLevel debug
# TODO SSL directives
ProxyPass "/app1" "http://localhost:8080/"
ProxyPassReverse "/app1" "http://localhost:8080/"
</VirtualHost>

Redirect specifc HTTPS request to a specific port with apache

I have a problem to redirect some request to an other port. Here's my configuration:
I have a public domain like XXXX.ddns.net
I have a Rapsbian server with apache and files in my /var/www folders are correctly served (angular website)
On the same Raspbian server there is a REST server running on the 3000 port
This is running on HTTPS with SSL(letsencrypt)
I would like that all requests to XXXX.ddns.net/api/* to be redirected to the 3000 port.
I change the .htaccess file and the rewrite rule seems to works on local but I can't make it working from my internet site. API requests achieve with a error 500.
Here is my current .htaccess file:
RewriteEngine On
RewriteRule ^api/(.*) https://localhost:3000/api/$1 [QSA]
# not sure if it should be http or https in the rule but nothing works
#RewriteRule ^api/(.*) http://localhost:3000/api/$1 [QSA]
# If an existing asset or directory is requested go to it as it is
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f [OR]
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d
RewriteRule ^ - [L]
# If the requested pattern is file and file doesn't exist, send 404
RewriteCond %{REQUEST_URI} ^(\/[a-z_\-\s0-9\.]+)+\.[a-zA-Z]{2,4}$
RewriteRule ^ - [L,R=404]
Here is my current 000-default-le-ssl.conf file (in /etc/apache2/sites-available):
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ServerName XXXX.ddns.net
SSLCertificateFile /etc/letsencrypt/live/XXXX.ddns.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/XXXX.ddns.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
<Location /api>
ProxyPass http://127.0.0.1:3000/api
ProxyPassReverse http://127.0.0.1:3000/api
</Location>
</VirtualHost>
</IfModule>
If someone could help me to achieve it...
Thanks!
Your self-found solution looks strange to me. You switch on the SSLProxyEngine and than disable all security measures. Is the backend API running under HTTPS and HTTP at port 3000 at the same time? This is not possible.
I use this setup (apache as proxy to backend application) pretty often and would suggest the following configuration:
As I did not understand the purpose of the rewrite directives I left them out. The VirtualHost at port 80 always redirects HTTP requests to HTTPS. If this works add permanent to the directive (permanent is cached by some browsers, see comment in VirtualHost *:80).
The VirtualHost for HTTPS serves content from your DocumentRoot at /var/www/html. The Directory directive takes care that only correctly addressed files are served (no lookups possible). The VirtualHost also provides the proxy for the /api on the same server on port 3000.
It should work for apache 2.4 if your letsencrypt configuration is correct (fill-in the XXXX). Both VirtualHost configurations can be written into a single file, usually located in /etc/apache2/sites-available with a symlink to /etc/apache2/sites-enabled. Please remove/rename your .htaccess file and other configurations before testing this configuration. If you need access control through apache this could also be configured directly in the VirtualHost configuration.
<VirtualHost *:80>
ServerName XXXX.ddns.net
# Always https
Redirect / https://XXXX.ddns.net/
# Redirect permanent / https://XXXX.ddns.net/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName XXXX.ddns.net
# These are your SSL settings; your responsibility
SSLCertificateFile /etc/letsencrypt/live/XXXX.ddns.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/XXXX.ddns.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
# Your document root; where the JavaScript application lives
DocumentRoot /var/www/html
<Directory /var/www/html/ >
Options -Indexes +FollowSymLinks -MultiViews
AllowOverride None
Order Allow,Deny
Allow From All
</Directory>
# Reverse proxy settings for api
ProxyRequests Off
ProxyPreserveHost On
<Location /api >
ProxyPass http://127.0.0.1:3000/api
ProxyPassReverse http://127.0.0.1:3000/api
</Location>
</VirtualHost>
Thanks for your help. I don't really know how but it works now!
I dont rember exactly what i did, but the last one was to modify my 000-default-le-ssl.conf file like this:
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
<Location /api>
ProxyPass http://127.0.0.1:3000/api/
ProxyPassReverse http://127.0.0.1:3000/api/
ProxyPass https://127.0.0.1:3000/api/
ProxyPassReverse https://127.0.0.1:3000/api/
</Location>

Apache: Rewrite then Proxy

So, I have two servers, let's call them nice#server and a#another#server
nice#server is what clients will talk to and is running Apache2 performing basic reverse proxy for simple services, a#another#server hosts a proprietary application server on port . I need to completely rewrite two url's before they get passed through, but just add a folder to all other URLs.
Some Examples below:
User Requests: nice#server/
Apache requests a#another#server:8080/appname
User Requests: nice#server/css#css
Apache requests a#another#server:8080/appname/css#css
User Requests: nice#server/a
Apache requests a#another#server:8080/appname/command1?name=option1
User Requests: nice#server/b
Apache requests a#another#server:8080/appname/app2?name=option2
I have done a lot of Googling and test on this but cannot seem to get it to work, sorry I've not kept the links that i've tried!!! I have stripped the vHost file right back down for now.
<VirtualHost *:80>
ServerName service#domain#com
ErrorLog ${APACHE_LOG_DIR}/service-domain-com-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/service-domain-com-access.log combined
ProxyPreserveHost On
ProxyRequests off
ProxyPass / a#another#server:8080/
ProxyPassReverse / a#another#server:8080/
</VirtualHost>
Thanks in advance for any guidance on how to do this.
I managed to get this fixed with a bit of trial and error. posting solution here in case anyone else is having the issue.
Working configuration file
<VirtualHost *:80>
ServerName service.domain.com
ErrorLog ${APACHE_LOG_DIR}/internal-fqdn-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/internal-fqdn-access.log combined
RewriteEngine On
RewriteRule ^/a$ /appname/command1?name=option1 [PT]
ProxyPreserveHost On
ProxyRequests off
ProxyPass / http://a.another.server:8080/
ProxyPassReverse / http://a.another.server:8080/
</VirtualHost>

Port configuration for Bitnami Redmine on domain on win 2008 server

I've installed Redmine using Bitnami Stack on Win Server 2008 R2 64 bit. I already have IIS running over there, and wants to configure subdomain.domain.com to access the redmine which can be accessed on http://127.0.0.1:3000/redmine.
I'm following this guide (http://wiki.bitnami.org/Applications/BitNami_Redmine_Stack) to do the same. But unable to get it working.
After configuring I can't access Redmine altogether, but still access Bitnami page on the http://127.0.0.1:3000/
I want to confirm what port should I configure to listen in below, should I leave it port 80 or configure it to listen on port 3000? Pls advise.
<VirtualHost *:80>
ServerAdmin example.com
ServerName example.com
ServerAlias server
ErrorLog "logs/error.log"
CustomLog "logs/access.log" combined
# this not only blocks access to .svn directories, but makes it
# appear as though they aren't even there, not just that they are
# forbidden
<DirectoryMatch "^/.*/\.svn/">
ErrorDocument 403 /404.html
Order allow,deny
Deny from all
Satisfy All
</DirectoryMatch>
# This passes through remote_user to mongrel
RewriteEngine On
# Redirect non-static requests to cluster
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ balancer://redminecluster%{REQUEST_URI} [P,QSA,L]
</VirtualHost>
#ProxyPass / balancer://redminecluster
#ProxyPassReverse / balancer://redminecluster
<Proxy balancer://redminecluster>
BalancerMember http://127.0.0.1:3001
BalancerMember http://127.0.0.1:3002
</Proxy>
If you already have IIS running in port 80 and serving other applications what you could try is to configure IIS as a reverse proxy for apache.
https://serverfault.com/questions/47537/can-iis-be-configure-to-forward-request-to-another-web-server

Apache mod_rewrite and multiple domains

I'm trying to use mod_rewrite to map multiple domains to different servlets on one host.
Example:
www.dom1.com -> 192.168.1.n/dom1
www.dom2.com -> 192.168.1.n/dom2 ...
I'm using the mod_rewrite and mod_proxy and VirtualHost directive but it seems that the reverse mapping via ProxyPassReverse doesn't work as I expected.
ProxyPassReverse /subdomain.domain.com http://192.168.1.n/subdomain
doesn't work. I've turned rewrite-logging on with
RewriteLog /var/log/rewrite.log
From the logs I'd say that rewriting works and the problem seems to be with reverse mapping. However I can't see any Reverse mapping entries.
It seems that reverse mapping isn't logged or needs a different command to be activated.
(Apache and the servlet container are on different machines but this should not matter I'd think ?)
After all I've found a solution that works for me.
This is an excerpt from my configuration that shows one virtual host for domain 1
<VirtualHost *>
ServerName www.dom1.com
ServerAlias dom1.com
RewriteEngine On
# logs might be omitted
RewriteLog /var/log/dom1_rewrite.log
RewriteLogLevel 2
CustomLog /var/log/dom1_custom.log common
ErrorLog /var/log/dom1_error.log
# rewrite to internal ip
RewriteRule ^/(.*) http://192.168.1.105/dom1/$1 [L,P,E=proxy_ok:1]
# Preserve the host-part in the forwarded url
ProxyPreserveHost On
# Substitute responses with the original
ProxyPassReverse / http://192.168.1.105/dom1/
ProxyPassReverse / http://192.168.1.105/dom1
ProxyPassReverse / http://dom1.com/dom1/
ProxyPassReverse / http://dom1.com/dom1
</VirtualHost>
What was wrong with my first configuration - I had to preserve the host and then add all necessary ProxyPassReverse rules to substitute the responses.
And this is my mod_proxy configuration:
<IfModule mod_proxy.c>
#turning ProxyRequests on and allowing proxying from all may allow
#spammers to use your proxy to send email.
ProxyRequests Off
<Proxy *>
AddDefaultCharset off
Order deny,allow
Deny from all
# Proxies just in case Proxy_ok is set
Allow from env=proxy_ok
</Proxy>
# Not sure whether we need this ...
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
ProxyVia On
</IfModule>
There may be cleaner solutions but - if works as it should.