I know, I know, Apache is not the best tool to use as HTTP proxy, however I need it on my server.
Here's my virtual host configuration:
<VirtualHost *:*>
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>
<VirtualHost *:80>
ServerName my.public.domain
Redirect / https://my.public.domain/
</VirtualHost>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:50001/
ProxyPassReverse / http://127.0.0.1:50001/
ServerName my.public.domain
ErrorLog ${APACHE_LOG_DIR}my-app-error.log
CustomLog ${APACHE_LOG_DIR}my-app-access.log common
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/my-cert/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my-cert/privkey.pem
</VirtualHost>
In UseUrls method i have http://localhost:50001 configured as main URL, and this is redirected by Apache to HTTPS #443.
It works as charm, however I see this in logs:
warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]
Failed to determine the https port for redirect.
In my configuration Apache handles https traffic, BTW, I can't communicate my app with Apache locally over HTTPS, it just doesn't work. I also think it's pointless to encrypt local internal traffic.
Unfortunately my solution requires some hacking to work 100% properly - I need to provide my public site URL in my app configuration - otherwise the app doesn't know what it's external address is. I mean - I build some links manually, because this is the core of my question - I don't know where the framework would keep such information. For example NavigationManager thinks my site URL is "http://localhost:50001", so if I need absolute URL in my app I can't use NavigationManager directly, I need to "manually" create the URL in app.
Links generated by Identity have "http" instead of "https", but it works because apache redirects everything to https.
Is there a way (and HOW) to do it more properly - a mean to officially tell the AspNET.Core it has specific external URL?
Where you have ServerName my.public.domain, use the following:
For port 80:
ServerName http://my.public.domain:80
For port 443:
ServerName https://my.public.domain:443
Related
I've read a lot of questions and answers which seem exactly the same as mine, but I can't seem to get my setup to work. I have a VM running Apache with only HTTP support at 192.168.2.101:32773. I can access it on my local network as such just fine. I now am ready to expose it through my Apache web server that has Lets Encrypt setup to generate SSL certificates. So I added this to my server conf file:
<VirtualHost *:32773>
ServerName server.com
SSLEngine on
SSLProxyEngine On
SSLCertificateFile /etc/letsencrypt/live/server.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server.com/privkey.pem
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://192.168.2.101:32773/
ProxyPassReverse / http://192.168.2.101:32773/
</VirtualHost>
However, I get an ERR_SSL_PROTOCOL_ERROR when I try to load it up as https://server.com:32773. If I however change my address to http://server.com:32773, it loads just fine. Anything look wrong in this snippet? Thanks!
HTTP and HTTPS need to be on different ports. Typically HTTPS is served on port 443.
This is embarrassing... At some point I changed my port forward rules to point 32773 directly to 192.168.2.101 so I could validate that the rules were working at all. The above config worked as soon as I realized I wasn't even sending traffic to my Apache SSL enabled server.
I configured my apache so that it can forward my requests to external URL like google.com, but the reverse proxy doesn't work.
<VirtualHost *:443>
ServerName authtest.com
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order allow,deny
Allow from All
</Proxy>
<LocationMatch "/google">
ProxyPass https://www.google.com/
ProxyPassReverse https://www.google.com/
</LocationMatch>
</VirtualHost>
Is it possible for me to reverse proxy external websites?
Is it possible for me to reverse proxy external websites?
Yes but with significant downsides.
Note: when I tried your configuration, I got SSL Proxy requested for [...] but not enabled [Hint: SSLProxyEngine] in the logs so I added SSLProxyEngine on.
Host issue
When you make a HTTP/1.1 request to a server, you automatically add the hostname in the request. When you proxy them, you have two possibilites:
[browser] --(Host: authtest.com)--> [apache proxy] --(Host: authtest.com)--> Google
or
[browser] --(Host: authtest.com)--> [apache proxy] --(Host: google.com)--> Google
The first one is what you get with ProxyPreserveHost On. Google servers won't handle requests for authtest.com, you should remove this line.
Even in the second case, you can have issues. ProxyPassReverse will handle redirects but only for the given domain: I'm in France, google.com redirects me to google.fr (a different domain) and the reverse proxy doesn't rewrite the redirect.
An other issue is the referer: if a service sees requests for images/css/js coming from a different web site it may consider it as bandwidth leeching and block them. Now, you need to rewrite the html of the response too (mod_proxy_html will help but it's not a silver bullet).
Path issue
In your example, you proxy <authtest>/google to <google>/. Like above, you need to rewrite the html: absolute links/resources won't work unless your server adds /google everywhere. Same for relative links/resources (but with more edge cases). If you owned the backend server, you could have checked urls in html/css/js files. Here, if the url is built dynamically in the browser using js you can't do anything.
If you can proxy / to / (or /whatever to /whatever) you will avoid a lot of issues here.
Chech this GIT Repo
I forked a GIT Repo and customized it to work with scenario:
[browser] --(Host: google.local)--> [apache proxy] --(Host: google.nl)--> Google
The Apache config as follows:
<VirtualHost *:80>
ServerName google.local
SSLProxyEngine on
ProxyRequests Off
<Proxy *>
Order allow,deny
Allow from All
</Proxy>
ProxyPass / https://www.google.nl/
ProxyPassReverse / https://www.google.nl/
ErrorLog /var/log/apache2/google.local-error.log
CustomLog /var/log/apache2/google.local-access.log combined
</VirtualHost>
I have an httpd server configured and working. The server returns "It works" and I can see the SSL is installed correctly.
The next step I undertook was configuring the reverse proxy, so that the users requests are redirected and I can have more customers' apps under one subdomain. The httpd configuration (shown below) I use is not mine, I am just attempting to reconfigure it to work for me. But with no big success up to now. There are directives that may be incorrect, but I have not tried commenting anything out.
#Apache is listening on port 443
Listen 443
SSLSessionCache shmcb:c:/Apache24/logs/shmcb_cache(512000)
SSLSessionCacheTimeout 300
Mutex default ssl-cache
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost *:443>
#ProxyPreserveHost On
SSLProxyEngine On
ServerName XXXX.sk
ServerAdmin admin
# Logs
ErrorLog /var/log/rsk_error_log
TransferLog /var/log/rsk_access_log
# Server Certificate and Private Key:
SSLCertificateFile /ssl/certificate.crt
SSLCertificateKeyFile /ssl/private.key
SSLCertificateChainFile /ssl/chain.crt
#Include conf/extra/proxy-443-to-8890.conf
ProxyPass /customer http://172.17.0.4:8080
ProxyPassReverse /customer http://172.17.0.4:8080
</VirtualHost>
Now when I type XXXX.sk/customer I receive a response which is a login screen, but it is incorrectly rendered, the CSS is not used at all. There are many errors appearing. When I log in, no response is returned and the URL is corrupted.
Can any of you, using httpd in a reverse proxy mode, please share your configs, at least a part of them?
The default webroot in base-component is mapping to / in url. All of resources like css, js etc is using "/" to build url, So Although the proxying is
ProxyPass /customer http://172.17.0.4:8080
The actual js location is still
/lib/jquery/jquery-ui.min.css
not
/customer/lib/jquery/jquery-ui.min.css
To make it work, the reverse proxy would need more messy location proxy_pass configurations.
So using additional path to proxy the webroot is not suggested.
How can I redirect one subdomain to an external server without using a proxy ? I use the mod_proxy - ProxyPass setting that works.
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName sub.domain.org
ProxyPass / http://otherDomain.org
ProxyPassReverse / http://otherDomain.org
</VirtualHost>
My current concern is that all traffic goes through domain.org. This is a virtual machine while and otherDomain is a real physical machine. I use OtherDomain because the webservice is data heavy. Would proxying the full traffic through domain.org slow down everything? How can I just forward to otherDomain.org ? Edit: Please note that domain.org is registered at a provider but otherDomain.org is just a machine with an IP address, registered nowhere.
As you are proxying all traffic to another server the simplest solution is to change the DNS record of sub.domain.com to match the DNS record of otherdomain.com.
In the Apache vHost at otherdomain.com add an ServerAlias directive for sub.domain.com. That way you get rid of the proxy stuff and all clients connect directly to the target server.
I want to setup my host file to
127.0.0.2:5050 domain2.com => this is a local domain
when a type in my browser domain2.com, this return me : HTTP Error 404. The requested resource is not found.
i use this in apache
<VirtualHost 127.0.0.9:5050>
ServerAdmin info#domain2.com
DocumentRoot "C:/Users/My_Dir/LOOP/WebEnginer-2011/domain2_Dir/"
ServerName domain2.com
DirectoryIndex index.php index.html index.htm
ServerAlias www.domain2.com
ErrorLog "c:/wamp/xxxx/xxxx.log"
CustomLog "c:/wamp/xxxx/xxxx.log" common
</VirtualHost>
<VirtualHost 127.0.0.9:5050>
ServerAdmin info#domain2.com
DocumentRoot "C:/Users/My_Dir/LOOP/WebEnginer-2011/domain2_Dir/admin_Dir/"
ServerName admin.domain2.com
DirectoryIndex index.php index.html index.htm
ServerAlias www.admin.domain2.com
ErrorLog "c:/wamp/xxxx/xxxx.log"
CustomLog "c:/wamp/xxxx/xxxx.log" common
</VirtualHost>
but when i type 127.0.0.2:5050 i can see a web page. I want to use subdomain like admin.domain2.com
i can't use port 80 because IIS use that port.
How can i set up my host file to listen domain2.com?
That won't work since the hosts file only serves the purpose of mapping a hostname to an IP-address. The port number of a service is a different concept and is not handled by the "hosts" file nor the DNS-System. In Short: you can't supply a port number in the "hosts" file.
If your Webserver works on another port, you have to supply that information in the URL: http://domain2.com:5050.
The only other solution is to configure your Webservers to listen on a specific IP so that they don't interfere with each other. For example the IIS could listen on 127.0.0.1 and the Apache on 127.0.0.2 (the way you have already configured it).
There's a HOWTO for achieving that with the IIS. I'm not sure if that works for 127.0.0.x-IP's but I think it's worth a try.
It might be:
Your DNS resolver not resolving that properly
Some Apache webserver misconfiguration
Try this to get more information about that:
What if you ping domain2.com?
Also, try what happens if you put something like domain2.local in your hosts file. It might be some windows security c** disallowing you to overwrite the ip of an existing domain.
Why didn't you use 127.0.0.1? That should be fine, however
Make sure you have a properly configured VirtualHost that accepts requests to "domain2.com", or you just have a default virtualhost.
EDIT
What did you actually add to hosts file? The correct syntax would be:
127.0.0.2 domain2.com