I have to set connection properties on an Apache 2.4 Proxy which only uses the ProxyPassRerverse directive instead of the ProxyPass directive which accepts additional parameters like lim, max, ttl, timeout ...
<Location /postbox-sdd/>
LuaHookTranslateName /etc/httpd/conf.d/hooks.lua map_xxx_to_postbox early
ProxyPassReverse /postbox-sdd/
Session On
SessionEnv On
SessionCookieName cfsession path=/
SessionCookieName2 session path=/;domain=localhost;httponly;secure;version=1;
SessionHeader X-Replace-Session
SetEnv HTTPS on
RequestHeader edit Destination ^http: https: early
Header add referer "https://postbox.xxx"
RequestHeader set referer "https://postbox.xxx"
Header unset CACHE-CONTROL
RequestHeader unset CACHE-CONTROL
</Location>
When i try to use the ProxySet directive (for example ProxySet ttl=20) after the ProxyPassReverse line i end up with an error because i don't know the worker name. Is there a default worker name or is it possible to set one?
ProxySet can not find 'ttl=20' Worker
The reason for doing this is to use a kind of connection pooling to the destination system postbox.xxx. I want to reuse existing connections for new requests instead of permanent open/close for every new request.
Thanks for help
Related
i have config file contains:
<VirtualHost _default_:80>
RewriteEngine On
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https" env=HTTPS
<Proxy "balancer://webtop">
BalancerMember "http://internalsite:7003" route=web1 ping=2
BalancerMember "http://internalsite:7006" route=web2 ping=2
ProxySet lbmethod=byrequests
</Proxy>
<Location /webtop>
ProxyPass balancer://webtop/webtop stickysession=ROUTEID nofailover=On
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/webtop" env=BALANCER_ROUTE_CHANGED
</Location>2
</VirtualHost>
Questions:
First connect. We have no routeid cookie. Could balancer check BalancerMember status before first assigning to prevent assign to inactive BalanceMember?
Something happens. We have routeid cookie, for example, web1, but this BalancerMember is down. We make new request. Could httpd automaticaly change cookie to web2 and switch to this BalanceMember?
i'm trying to config apache httpd as balancer
First connect. We have no routeid cookie. Could balancer check BalancerMember status before first assigning to prevent assign to inactive BalanceMember?
The cookie can either be set by the backend.You can set cookies at ProxyPass or ProxySet. The balancer extracts the value of the cookie and looks for a member worker with a route equal to that value.
Something happens. We have routeid cookie, for example, web1, but this BalancerMember is down. We make new request. Could httpd automatically change cookie to web2 and switch to this BalanceMember?
Yes. If nofailover is set to On, the session will break if the worker is in an error state or disabled. Set this value to On if backend servers do not support session replication.
We are using Apache 2.4.48 and a module that Oracle provides (the "WebLogic Plugin for Apache" - I guess equivalent to ProxyPass/ProxyPassReverse, but more WebLogic specific) to proxy some endpoints that are on WebLogic server. The configuration was setup awhile ago, and I am trying to understand the behavior of the directive.
In the Apache ssl.conf, we have (for example):
<VirtualHost _default_:443 _default_:14101>
<Location />
WLSRequest On
SetHandler weblogic-handler
WebLogicCluster XXX01.foo.com:14101,XXX02.foo.com:14101,XXX03.foo.com:14101,XXX04.foo.com:14101
WLCookieName OAMSESSIONID
SecureProxy ON
WLSSLWallet "/apps/products/apache/2.4.46/instances/apache_oam/conf/certs/wallet"
#RequireSSLHostMatch false
Debug OFF
WLLogFile "/apps/products/apache/2.4.46/instances/apache_oam/logs/oam_location.out"
</Location>
<Location /service/show>
SetHandler default-handler
WLSRequest Off
AuthType None
Require all granted
Header always set Access-Control-Allow-Origin %{ACAO}e env=ACAO
Header always set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header always set Access-Control-Allow-Headers "Origin, Content-Type, Accept, Authorization"
</Location>
.
.
.
### Cert Check ###
ScriptAlias /certcheck "/apps/products/apache/instances/apache_oam/cgi-bin/certcheck"
<Location /certcheck>
SSLVerifyClient optional_no_ca
</Location>
### End Cert Check ###
</VirtualHost>
I (probably mistakenly) always thought that, in Apache configuration, the more specific directive would take precedence over the less specific, but, when I test with the above, the
<Location />
appears to cause EVERY request to be proxied to the backend servers, even though the "<Location /certcheck>" is "more specific".
Because of this, the /certcheck, which is supposed to be a local resource, is causing the request to be proxied to the backend, instead of serving from the local resource.
Can someone explain why this is happening?
Also, if what we WANTED was to proxy every request/URI UNLESS we specify the URI in a "<Location /xxxx>", how can we accomplish this?
Thanks,
Jim
I want to check my logic with you experts to check if it is correct.
What do I want to do?
Requests to Location search of suggest are send to Proxypass.
Proxypass connection is passed through the proxy with the Proxy Remote directive
Will that eventually work?
How can see if the proxy is being used?
ProxyRemote "https://website.com/query/search/" "http://proxy.com:8080"
ProxyRemote "https://website.com/query/suggest/" "http://proxy.com:8080"
<Location "/search">
RequestHeader set Auth-Key "test"
ProxyPass https://website.com/query/search/
</Location>
<Location "/suggest">
RequestHeader set Auth-Key "test"
ProxyPass https://website/query/suggest/
</Location>
Try adding LogLevel proxy:trace5 above the ProxyRemote entries.
Then check the apache2 logs (usually /var/log/apache2/access_log) for [proxy:...] entries: specifically look for [...] connecting https://website.com/[...] to website.com:443.
Don't forget to remove the LogLevel entry again, proxy:trace5 is pretty verbose.
I'm using apache to redirect AJAX request to server backend in my AJAX app.
Everything that starts with /service/ should go to service backend:
<LocationMatch "/service">
ProxyPass http://backend:8080/service Keepalive=On
Header set Cache-Control "no-cache, no-store, must-revalidate"
</LocationMatch>
Everything that starts with /auth goes to authentication server:
<LocationMatch "/auth">
ProxyPass http://keycloak:8090/auth/ Keepalive=On
</LocationMatch>
I was happy with my apparently working solution, unless the auth channel was added to backend, and them I've noticed, that requests to /service/auth/info are not consumed by backend, but land in authentication server.
Apparently I have some understanding problem. How should I match URLs that start with given string, and not contain it somewhere in the middle?
Use the caret (^) to indicate the beginning of the string:
<LocationMatch "^/service">
I am trying to proxy a SCORM entry point on my LMS to the content on another LMS. The manifest resource href looks like:
https://example.com/training/rest/of/the/content/link?key=value
And in my httpd.conf, I have the following:
SSLProxyEngine on
RewriteRule ^proxy:.* - [F]
ProxyPass /training/ https://theirsite.com/
ProxyPassReverse /training/ https://theirsite.com/
<Location /training/>
SetOutputFilter proxy-html
Header add referer https://theirsite.com/
Header set Accept-Ranges none
RequestHeader set referer https://theirsite.com/
RequestHeader unset Accept-Encoding
ProxyHTMLEnable on
ProxyHTMLExtended on
ProxyHTMLURLMap / ppt/
ProxyHTMLURLMap https://example.com/ ppt/
ProxyHTMLURLMap https://example.com/training/ ppt/
ProxyHTMLURLMap ppt/ https://example.com/training/
</Location>
The problems I am having are this:
The value in my manifest href is correctly hitting the content host (so my proxy values are correct), but are not returning to https://example.com/training/, they are returning to https://example.com, which leads to my next problem.
I am having to map all of the URLs when the body returns to me, which is not a problem, except the client host is actually using a third-party for a particular JS library, and mapping / to a standardized value so I can then re-standardize the entire body back to https://example.com/training/, is breaking that particular link.
I have tried various rewrites and substitutions, but I feel I may be missing a key component on this proxying business :/