I want example.com as well as any subdomain e.g. abc.example.com to be served by the same application. I cannot know all subdomains beforehand so I need wildcards. My (Django) application can handle requests to all subdomains.
The problem is that requests to abc.example.com return "400 Bad Request".
My Apache/2.4.29 (Ubuntu) configuration starts like this
<VirtualHost *:80>
ServerName example.com
ServerAlias *.example.com
DocumentRoot /home/user/project
# ...
</VirtualHost>
Note: I have only defined one VirtualHost, which I intended to cover all subdomains. Requests to all paths of example.com e.g. example.com/api/ work.
Subdomain Requests are not logged in the access.log file where regular requests land, but in other_vhosts_access.log.
$ sudo tail -100 /var/log/apache2/other_vhosts_access.log
example.com:80 10.xx.191.xxx - - [15/Feb/2020:13:15:09 +0000] "GET /favicon.ico HTTP/1.0" 400 317 "http://abc.example.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/xxx.xx (KHTML, like Gecko) Chrome/80.0.xxxx.xxx Safari/xxx.xx"
Related
First, I apologize for yet another ProxyPass question, I have been reading through many of them, and answers provided, and I still cannot identify what I am doing wrong.
I have 3 sudomains: cloud.example.com wiki.example.com other.example.com.
other.example.com has been running fine on host A with https
cloud.example.com has been running fine on host B with https after forwarding with ProxyPass
wiki.example.com is just added on host A as an application listening on other port, and is currently only http until I resolve this issue and get SSL configured with Lets Encrypt and certbot
Currently when browsing to other and cloud subdomains they redirect to the https page automatically as desired.
When browsing to the wiki subdomain, it also gets redirected to https where it is not listening, and then displays wiki.example.com in the address bar while serving up the domain/other.subdomain content. I have verified using the IP and port that it is running and listening on http. Message in the apache access log shows apache is receiving request for https and cannot find the https://wiki.example.com.
x.x.x.x - - [29/Jan/2022:14:05:16 -0700] "GET /favicon.ico HTTP/1.1" 404 513 "https://wiki.example.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36"
I have been using firefox primarily and after disabling all features forcing https, and deleting all entries related to my site from the Library the issue remained. I then tried chromium which I have never used for the site, and the issue remained.
I am having trouble identifying why the wiki subdomain is being redirected to https. Below is the example.com.conf section where the cloud subdomain is working, and where the wiki subdomain is attempted. I have tried without the extra rewrite rules, with other rules listed on other answers, and nothing has changed.
I am guessing I have a configuration somewhere for apache that is forcing all connections to https, but I cannot locate where it is.
<VirtualHost *:80>
ServerName cloud.example.com
ServerAlias cloud.example.com
ProxyPreserveHost On
ProxyPass / http://host B IP/
ProxyPassReverse / http://Host B IP/
RewriteEngine on
RewriteCond %{SERVER_NAME} =cloud.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
ServerName wiki.example.com
ServerAlias wiki.example.com
ProxyPreserveHost On
ProxyPass / http://Host A IP:3000/
ProxyPassReverse / http://Host A IP:3000/
RewriteEngine on
RewriteCond %{SERVER_NAME} =wiki.example.com
RewriteRule ^ http://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Not 100% sure why, but after connecting from another source with private mode it loaded fine, then began loading fine from everywhere. Strange, but resolved.
I've been working on a local reverse proxy that routes traffic between two local Apache installations (each running a different version of mod_wsgi, which is the reason for the bifurcation). I want this reverse proxy to work whether the requests are HTTP or HTTPS.
However, when using SSL, the Location response header isn't being modified (properly) by ProxyPassReverse.
Below are the VirtualHost definitions for HTTP and HTTPS traffic, respectively:
<VirtualHost *:80>
# Proxy traffic for Version 6 with an alias of: 6x/
ProxyPass /6x/ http://localhost:10090/
ProxyPassReverse /6x/ http://localhost:10090/
# Proxy traffic for previous versions with aliases of: 5x/, 4x/, and /
ProxyPass /5x/ http://localhost:10080/
ProxyPassReverse /5x/ http://localhost:10080/
ProxyPass /4x/ http://localhost:10080/
ProxyPassReverse /4x/ http://localhost:10080/
ProxyPass / http://localhost:10080/
ProxyPassReverse / http://localhost:10080/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName snakeoil.us.com
ProxyPreserveHost on
ProxyRequests off
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateFile /etc/ssl/certs/snakeoil.crt
SSLCertificateKeyFile /etc/ssl/certs/snakeoil.key
SSLCertificateChainFile /etc/ssl/certs/bundle-client.crt
# Proxy traffic for Version 6 with an alias of: 6x/
ProxyPass /6x/ https://localhost:10453/
ProxyPassReverse /6x/ https://localhost:10453/
# Proxy traffic for previous versions with aliases of: 5x/, 4x/, and /
ProxyPass /5x/ https://localhost:10443/
ProxyPassReverse /5x/ https://localhost:10443/
ProxyPass /4x/ https://localhost:10443/
ProxyPassReverse /4x/ https://localhost:10443/
ProxyPass / https://localhost:10443/
ProxyPassReverse / https://localhost:10443/
</VirtualHost>
</IfModule>
When I access the url http://snakeoil.us.com/6x/snk610/index, the location header comes back as: Location: http://snakeoil.us.com/6x/snk610/index.
However, when I access the url https://snakeoil.us.com/6x/snk610/index, the location header comes back as: Location: https://snakeoil.us.com/snk610/index, which results in a 404 since only one of the two local Apache instances (the one associated with the 6x route) being proxied recognizes the snk610 alias (and it isn't the instance being routed to in this case).
The bottom line is that the HTTP VirtualHost definition proxies requests between the two local Apache instances without fail. However, the HTTPS VirtualHost definition does not and it isn't clear to me what causes this discrepancy.
Managed to find the solution. In retrospect, it should have been more obvious.
On the Apache instances being proxied to, I changed the access_log format to be the following:
LogFormat "%h %l %u %t \"%r\" %>s %b --> ResponseLocation: '%{Location}o'" common
This causes the outgoing response location to be logged.
Here is the output from the Apache HTTP instance (being proxied to):
[snake6x#test1 httpd6x]$ grep "ResponseLocation: 'http" logs/access_log
::1 - - [06/May/2020:15:43:25 -0400] "GET /snk610 HTTP/1.1" 301 233 --> ResponseLocation: 'http://localhost:10090/snk610/index'
::1 - - [06/May/2020:15:43:30 -0400] "GET /snk610/index HTTP/1.1" 302 247 --> ResponseLocation: 'http://localhost:10090/snk610/login?params=&message=&redirect_to=index'
::1 - - [06/May/2020:15:43:32 -0400] "POST /snk610/auth?redirect_to=index¶ms= HTTP/1.1" 302 204 --> ResponseLocation: 'http://localhost:10090/snk610/index'
From the above, you can see that the response location header looks as expected, i.e. ProxyPassReverse should be able to successfully make its replacement.
Conversely, here is the output from the Apache HTTPS instance (being proxied to):
[snake6x#test1 httpd]$ grep "ResponseLocation: 'http" logs/ssl_request_log
[06/May/2020:19:53:38 +0000] ::1 "GET /snk610 HTTP/1.1" 240 2645788 --> ResponseLocation: 'https://snakeoil.us.com/snk610/index'
[06/May/2020:19:56:21 +0000] ::1 "GET /snk610/index HTTP/1.1" 254 2682899 --> ResponseLocation: 'https://snakeoil.us.com/snk610/login?params=&message=&redirect_to=index'
[06/May/2020:19:56:23 +0000] ::1 "POST /snk610/auth?redirect_to=index¶ms= HTTP/1.1" 240 752392 --> ResponseLocation: 'https://snakeoil.us.com/snk610/index'
From the above, you can see that the server name has been substituted for the incoming host name in the response location header. This is what was causing ProxyPassReverse to fail to replace outgoing hostname (on the reverse proxy server).
I resolved this problem by explicitly updating the outgoing location header on the server being proxied to:
# Since this server has a proxy immediately in front of it, we need the outgoing
# location to match the incoming location. However, the ServerName tag will
# cause the incoming location to be changed to include the ServerName, which will
# cause the upstream ProxyPassReverse to fail to update the outgoing location
# properly.
#
# This Header modification replaces the outgoing ServerName with the incoming
# name.
#
# FIXME: There is surely a better way to do this with a variable that contains
# the incoming host
Header edit Location ^https://snakeoil.us.com:443 https://localhost:10453
Header edit Location ^https://snakeoil.us.com https://localhost:10453
My Jenkins is running in Kubernetes with Service type: LoadBalancer, and added below azure annotations to take internal subnet private ip address to expose service internally.
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
service.beta.kubernetes.io/azure-load-balancer-internal-subnet: subnetName
I've one ubuntu VM where Apache is installed. Created self signed certificated and terminated in apache configurations, and I'm able to access apache home page using HTTPS.
Then I've created proxy rule to Jenkins service IP address. Basically I want to access Jenkins from Apache HTTPS --> to internally HTTP traffic towards kubernetes service.
Here is Apache configurations:
xxxx#xxxx:/etc/apache2/sites-available$ ls -ltrh
total 28K
-rw-r--r-- 1 root root 1332 Jul 16 18:14 000-default.conf
-rw-r--r-- 1 root root 6338 Jul 16 18:14 default-ssl.conf
drwxr-xr-x 2 root root 4096 Dec 12 17:24 abc
-rw-r--r-- 1 root root 680 Dec 12 13:04 abc.conf
drwxr-xr-x 2 root root 4096 Dec 12 14:29 xyz
-rw-r--r-- 1 root root 1151 Dec 12 13:08 xyz.conf
cat abc/00-redirect-to-https.conf
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^jenkins$ login [L,R=302]
cat abc.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/abc_error.log
CustomLog ${APACHE_LOG_DIR}/abc_access.log combined
<IfModule mod_headers.c>
RequestHeader unset X-Forwarded-For
RequestHeader unset X-Forwarded-Host
RequestHeader unset X-Forwarded-Server
RequestHeader set X-Forwarded-Proto "http"
RequestHeader set X-Forwarded-Port "80"
</IfModule>
# Apache will try to set application/json based on mime type
# This behaviour casing problems with empty json responses from spring
RemoveType json
Include sites-available/abc/*.conf
</VirtualHost>
cat xyz/00-jenkins.conf
ProxyPass /jenkins balancer://jenkins/jenkins
ProxyPassReverse /jenkins balancer://jenkins/jenkins
<Proxy balancer://jenkins>
BalancerMember http://x.x.x.x:8080 loadfactor=1 keepalive=On retry=0
ProxySet lbmethod=bytraffic
</Proxy>
cat xyz.conf
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName FQDN
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/xyz_error.log
CustomLog ${APACHE_LOG_DIR}/xyz_access.log combined
<IfModule mod_headers.c>
RequestHeader unset X-Forwarded-For
RequestHeader unset X-Forwarded-Host
RequestHeader unset X-Forwarded-Server
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</IfModule>
SSLEngine on
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/apache2/certs/ca.cert
SSLCertificateKeyFile /etc/apache2/certs/ca.key
# Apache will try to set application/json based on mime type
# This behaviour casing problems with empty json responses from spring
RemoveType json
Include sites-available/xyz/*.conf
</VirtualHost>
If I do curl -k https://localhost/jenkins from local ubuntu VM then response shows that authentication required which is fine as below, but redirecting url becomes window.location.replace('/login?from=%2F')
<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2Fjenkins'/><script>window.location.replace('/login?from=%2Fjenkins');</script></head><body style='background-color:white; color:white;'>
Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
Permission you need to have (but didn't): hudson.model.Hudson.Read
... which is implied by: hudson.security.Permission.GenericRead
... which is implied by: hudson.model.Hudson.Administer
-->
</body></html>
But with the same case, when I request from browser https://FQDN/jenkins again URL becomes https://FQDN/login?from=%2F But there browser throws URL Not found error
Not Found
The requested URL was not found on this server.
Please assist here to correct the configurations..
Thanks..
More observation from logs:
when I did curl -k https://localhost/jenkins apache access logs shows 403 which is ok because I've not passed credentials
127.0.0.1 - - [13/Dec/2019:13:37:40 +0000] "GET /jenkins HTTP/1.1" 403 3297 "-" "curl/7.58.0"
and when same tried from internet browser https://FQDN/jenkins apache logs first shows 403 which is wanted but soon after apache tries to find changed url in same VM instead of redirecting, due to which i'm not getting jenkins page.
165.225.106.137 - - [13/Dec/2019:13:38:19 +0000] "GET /jenkins HTTP/1.1" 403 3446 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
165.225.106.137 - - [13/Dec/2019:13:38:19 +0000] "GET /jenkins HTTP/1.1" 403 1564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
165.225.106.137 - - [13/Dec/2019:13:38:20 +0000] "GET /login?from=%2F HTTP/1.1" 404 541 "https://DNSname/jenkins" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
It's working now after changing below configurations --
(1)
Set the context path by modifying the jenkins.xml configuration file and adding --prefix=/jenkins (or similar) to the <arguments> entry.
https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+Apache
(2)
Initially -- RewriteRule ^jenkins$ login [L,R=302]
Now -- RewriteRule ^/jenkins(.*)$ /
(3)
Initially --
ProxyPass /jenkins balancer://jenkins/jenkins
ProxyPassReverse /jenkins balancer://jenkins/jenkins
<Proxy balancer://jenkins>
BalancerMember http://x.x.x.x:8080 loadfactor=1 keepalive=On retry=0
ProxySet lbmethod=bytraffic
</Proxy>
Now --
ProxyPass /jenkins balancer://jenkins
ProxyPassReverse /jenkins balancer://jenkins
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy balancer://jenkins>
BalancerMember http://x.x.x.x:8080/jenkins loadfactor=1 keepalive=On retry=0
ProxySet lbmethod=bytraffic
</Proxy>
I am working with Gluu Server and trying to get the OpenID Connect configuration from the /.well-known/openid-configuration endpoint through a CORS/AJAX request (for use with an Angular app). However, when I try to request the endpoint from a locally hosted app/HTML file with XHR requesting the endpoint, I receive a 403 Forbidden error.
This only seems to happen when the request stems from a local context, i.e. Angular's development server or a local HTML file requesting the endpoint. If I open the same HTML file that performs the AJAX request, hosted on a server, it works.
The testing HTML file looks like the following
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<div id="content"></div>
<script type="text/javascript">
var url = 'https://example.com/.well-known/openid-configuration';
var req = new XMLHttpRequest();
req.open('GET', url, true);
req.setRequestHeader('Content-Type', 'application/json');
req.onload = () => {
if (req.status >= 200 && req.status < 400) {
console.log('[XHR SUCCESS]');
var el = document.getElementById('content');
el.innerHTML = req.responseText;
} else {
console.log('[XHR ERROR]', req);
}
}
req.onerror = () => {
console.log('[XHR CONNECTION ERROR]');
}
req.send();
</script>
</body>
</html>
Requesting from local file
As mentioned above, when requesting from a local HTML file, I receive the 403 Forbidden error.
In the browser console (Chrome), two errors are output:
Failed to load resource: the server responded with a status of 403 (Forbidden)
Access to XMLHttpRequest at 'https://example.com/.well-known/openid-configuration' from origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
The only output on the server, that I have found, relating to this, is in the file /var/log/apache2/other_vhosts_access.log:
example.com:443 <IP> - - [11/Mar/2019:10:45:20 +0000] "OPTIONS /.well-known/openid-configuration HTTP/1.1" 403 3763 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36"
The server receives the following (from the log_forensic module for Apache) when requested from local:
OPTIONS /.well-known/openid-configuration HTTP/1.1|Host:example.com|Connection:keep-alive|Pragma:no-cache|Cache-Control:no-cache|Access-Control-Request-Method:GET|Origin:null|User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36|Access-Control-Request-Headers:content-type|Accept:*/*|Accept-Encoding:gzip, deflate, br|Accept-Language:en-US,en;q=0.9
Requesting from server-hosted file
When doing the exact same thing as above, but with the HTML file hosted on a server, the request completes successfully.
Output in the access log:
example.com:443 <IP> - - [11/Mar/2019:11:06:46 +0000] "OPTIONS /.well-known/openid-configuration HTTP/1.1" 200 779 "http://example.org/xhr-cors.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36"
example.com:443 <IP> - - [11/Mar/2019:11:06:46 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 200 6629 "http://example.org/xhr-cors.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36"
From log_forensic:
OPTIONS /.well-known/openid-configuration HTTP/1.1|Host:example.com|Connection:keep-alive|Access-Control-Request-Method:GET|Origin:http%3a//example.org|User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36|Access-Control-Request-Headers:content-type|Accept:*/*|Referer:http%3a//example.org/xhr-cors.html|Accept-Encoding:gzip, deflate, br|Accept-Language:en-US,en;q=0.9
GET /.well-known/openid-configuration HTTP/1.1|Host:example.com|Connection:keep-alive|Origin:http%3a//example.org|User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36|Content-Type:application/json|Accept:*/*|Referer:http%3a//example.org/xhr-cors.html|Accept-Encoding:gzip, deflate, br|Accept-Language:en-US,en;q=0.9
Apache configuration
The configuration for Apache on the server is
<VirtualHost *:80>
ServerName example.com
Redirect / https://example.com/
DocumentRoot "/var/www/html/"
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "/var/www/html/"
ServerName example.com:443
LogLevel warn
SSLEngine on
SSLProtocol -all +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
# SetEnv proxy-nokeepalive 1
SetEnv proxy-initial-not-pooled 1
Timeout 60
ProxyTimeout 60
# Security headers
# Header always append X-Frame-Options SAMEORIGIN
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options nosniff
# Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' https://example.com"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header edit Set-Cookie ^((?!session_state).*)$ $1;HttpOnly
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
# Unset X-ClientCert to make sure that we not get certificate in request
RequestHeader unset X-ClientCert
# Turn off support for true Proxy behaviour as we are acting as a transparent proxy
ProxyRequests Off
# Turn off VIA header as we know where the requests are proxied
ProxyVia Off
# Turn on Host header preservation so that the servlet container
# can write links with the correct host and rewriting can be avoided.
ProxyPreserveHost On
# Preserve the scheme when proxying the request to Jetty
RequestHeader set X-Forwarded-Proto "https" env=HTTPS
Header unset ETag
FileETag None
RedirectMatch ^(/)$ /identity/
# Set the permissions for the proxy
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
</Proxy>
<Location /oxauth>
ProxyPass http://localhost:8081/oxauth retry=5 connectiontimeout=60 timeout=60
# Header set Access-Control-Allow-Origin "*"
Order deny,allow
Allow from all
</Location>
<LocationMatch /oxauth/auth/cert/cert-login>
SSLVerifyClient optional_no_ca
SSLVerifyDepth 10
SSLOptions -StdEnvVars +ExportCertData
# Forward certificate to destination server
RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s
</LocationMatch>
<Location /idp>
ProxyPass http://localhost:8086/idp retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
</Location>
<Location /identity>
ProxyPass http://localhost:8082/identity retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
</Location>
<Location /cas>
ProxyPass http://localhost:8083/cas retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
</Location>
<Location /oxauth-rp>
ProxyPass http://localhost:8085/oxauth-rp retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
</Location>
<Location /asimba>
ProxyPass http://localhost:8084/asimba retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
</Location>
<Location /passport>
ProxyPass http://localhost:8090/passport retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
</Location>
<Location /casa>
ProxyPass http://localhost:8091/casa retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
</Location>
<LocationMatch "/.well-known/openid-configuration">
ProxyPass http://localhost:8081/oxauth/.well-known/openid-configuration
Header set Access-Control-Allow-Origin "*"
</LocationMatch>
# ProxyPass /.well-known/openid-configuration http://localhost:8081/oxauth/.well-known/openid-configuration
ProxyPass /.well-known/simple-web-discovery http://localhost:8081/oxauth/.well-known/simple-web-discovery
ProxyPass /.well-known/webfinger http://localhost:8081/oxauth/.well-known/webfinger
ProxyPass /.well-known/uma2-configuration http://localhost:8081/oxauth/restv1/uma2-configuration
ProxyPass /.well-known/fido-configuration http://localhost:8081/oxauth/restv1/fido-configuration
ProxyPass /.well-known/fido-u2f-configuration http://localhost:8081/oxauth/restv1/fido-configuration
ProxyPass /.well-known/scim-configuration http://localhost:8082/identity/restv1/scim-configuration
ServerAlias example.com
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
I have commented out the
ProxyPass /.well-known/openid-configuration http://localhost:8081/oxauth/.well-known/openid-configuration
directive and introduced the
<LocationMatch "/.well-known/openid-configuration">
ProxyPass http://localhost:8081/oxauth/.well-known/openid-configuration
Header set Access-Control-Allow-Origin "*"
</LocationMatch>
directive to add CORS header(s).
Other
Other things I've tried to figure out what the issue is:
Performed a GET request to the endpoint through Postman, which completed successfully.
Performed an OPTIONS request to the endpoint through Postman, which completed successfully.
I'd very much appreciate some input on this as it has me pretty stumped and being unable to work from local when developing is cumbersome. If any clarification is needed, please let me know.
Turns out this problem was an amalgamation of two unrelated things.
First, and this is mostly conjecture, it seems that Chrome blocks requests from a local file (the HTML file) and simply provides output that is, to me, very confusing. I.e. the 403 error might be because Chrome blocks the CORS request somehow. I tried running Chrome with various flags, e.g. --disable-web-security and --allow-file-access-from-files, but this did not change the output from the local HTML file. So, the local file request still fails and I don't really know the exact reason. But, since this was just for testing it is not that relevant, for me, currently.
Secondly, an erroneous implementation in an interceptor in the Angular project overwrote all headers for requests. After fixing this, the local server was able to request the endpoint.
It just so happened that the output from the two different issues looked pretty much identical which threw me off.
I've been having this issue for a while now. Never got to fixing it. Basically whenever I have a DocumentRoot which is not in
/var/www
I get a
Forbidden
You don't have permission to access / on this server.
Apache/2.4.7 (Ubuntu) Server at example.com Port 80
My VirtualHost looks like this
<VirtualHost *:80>
ServerName example.com
DocumentRoot /home/prakash/1985/Foodini/bitbucket/foowork/views
</VirtualHost>
What could the reasons be ? Should I have the files belonging to a different group or have different permissions ?