Apache reverse proxy https config leads to 503 error - apache

Hope someone can point me in the right direction. I've been trying to get this to work for many hours :(
Scenario - I have a DMZ where I've set up the Apache server. I need to securely talk to the internal server where I have set up another Apache server which is reverse proxied again to a localhost app within the server.. So, basically..
outside world > internet (https://app1.com) > dmz (apache reverse proxy) > internal server (apache reverse proxy - https://app1prod.com) > (http) > localhost:8080
Now, in dmz, I can directly access https://app1prod.com without issues. But, I can't for the life of me get https://app1.com to work from dmz. I get a '503 service unavailable' message :( Here is my apache config in dmz..
<VirtualHost *:443>
ServerName app1.com
ProxyRequests off
SSLProxyCheckPeerName off
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
LogLevel debug
SSLEngine on
SSLProxyEngine on
SSLCertificateFile "xxx/cert.crt"
SSLCertificateKeyFile "xxx/key.key"
SSLCertificateChainFile "xxx/certchain.crt"
ProxyPass / https://app1prod.com/
ProxyPassReverse / https://app1prod.com/
<Proxy *>
order deny,allow
Allow from all
</Proxy>
ProxyPreserveHost on
ProxyTimeout 1200
</VirtualHost>
On my httpd.conf, I have the following modules loaded in addition to the defaults..
mod_proxy.so
mod_proxy_connect.so
mod_proxy_http.so
mod_ssl
mod_rewrite.so
mod_socache_shmcb.so
mod_ssl.so
What am I doing wrong? Please help! Thanks a lot..

Try removing ProxyPreserveHost on.
With that directive enabled, the proxied requests will be send to server defined in ProxyPass directive, but the HTTP Host: header will be preserved from initial request. In your case, the requests sent by Apache to app1prod.com will have Host: app1.com header, and app1prod.com i not configured (probably deliberately) to respond to such request.

Related

Apache proxy says hostname from SNI doesn't match hostname from HTTP

I'm setting up a forward proxy on Apache 2.4, and I'm finding that every request for an HTTPS url results in a 400 response.
The apache error log shows:
[ssl:error] AH02032: Hostname my.example.net provided via SNI and hostname stanford.edu provided via HTTP are different
What could I be doing wrong? My config is as follows:
Listen 3443
<VirtualHost *:3443>
SSLEngine on
ProxyRequests on
ProxyVia off
<Proxy *>
Allow from all
</Proxy>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/my.example.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.example.net/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.example.net/chain.pem
ErrorLog /var/log/httpd/myerr.log
</VirtualHost>
I've tried adding all of the following but to no effect:
SSLProxyEngine with both on and off
SSLProxyVerify none
AllowCONNECT 443
I test the proxy by running:
https_proxy='https://my.example.net:3443/' curl 'https://stanford.edu/'
My server my.example.net is running Apache 2.4 on CentOS 7
The curl command appears to be the issue: instead of using an https scheme for the https_proxy variable, use http (so that there is only one TLS connection, and it goes right through to the destination host):
https_proxy='http://my.example.net:3443/' curl 'https://stanford.edu/'

Httpd with api gateway [AWS] : Error reading from remote server

In my use case i have to make an api gateway accessible by a reverse proxy.
something like this :
(users -> Httpd(EC2) -> api gateway -> lambda)
I was able to create a vpc-link between my api gateway and my virtual machine EC2( it's working perfectly).
but the second part is to create a server httpd which will redirecte the requests from other networks to my api gateway.
but my httpd server seems not working
here the error
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /myapi/.
Reason: Error reading from remote server
here my httpd configuration
<VirtualHost *:443>
# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"
ServerAdmin administrator#test.net
ServerName www.test.net
ServerAlias test.net
DocumentRoot /var/www/html/test.net/public_html/
SSLEngine on
SSLCertificateFile /etc/httpd/selfsigned/server.crt
SSLCertificateKeyFile /etc/httpd/selfsigned/server.key
SSLProxyEngine On
ProxyPass /myapi/ https://apigateway.amazonaws.com/ retry=1 acquire=3000 timeout=24000 Keepalive=On
ProxyPassReverse /myapi/ https://apigateway.amazonaws.com/
ProxyPreserveHost On
</VirtualHost>
NB: the lambda function return a simple response.
do you have an idea ?
thank you in advance

Apache reverse proxy and Wicket CsrfPreventionRequestCycleListener

Since integrating CsrfPreventionRequestCycleListener into our Apache Wicket (7.6.0) application, we have a problem operating the application behind an Apache reverse proxy.
Our configuration terminates SSL at Apache, and the reverse proxy passes the requests via http to our Wildfly 10 application server. This allows us to offload TLS/SSL among other things.
But since adding the CsrfPreventionRequestCycleListener, we are seeing the following in the server.log file and connections are aborted:
[org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener]
(default task-12) Possible CSRF attack, request URL:
http://example.com/example/portal/wicket/page,
Origin: https://example.com, action: aborted with error
400 Origin does not correspond to request
The problematic Apache config:
<VirtualHost example.com:443>
ServerName example.com
LogLevel debug
SSLEngine On
SSLCertificateFile /var/example/example.com/signed.crt
SSLCertificateKeyFile /var/example/example.com/domain.key
SSLCACertificateFile /var/example/example.com/intermediate.pem
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
SSLOpenSSLConfCmd DHParameters "/usr/local/apache2/1024dhparams.pem"
SSLProxyEngine on
ProxyPass / http://localhost:8390/ timeout=600
ProxyPassReverse / http://localhost:8390/ timeout=600
ProxyPreserveHost On
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Credentials "true"
Header edit Location ^http(\:\/\/.*)$ https$1
We found a solution using http2 but would prefer one without http2 (for reasons, see in https://http2.pro/doc/Apache).
The working Apache configuration using http2
<VirtualHost example.com:443>
ServerName example.com
LogLevel debug
SSLEngine On
SSLCertificateFile /var/example/example.com/signed.crt
SSLCertificateKeyFile /var/example/example.com/domain.key
SSLCACertificateFile /var/example/example.com/intermediate.pem
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
SSLOpenSSLConfCmd DHParameters "/usr/local/apache2/1024dhparams.pem"
SSLProxyEngine On
ProxyPreserveHost On
# Settings for http2 communication
Protocols h2 http/1.1
ProxyPass / https://localhost:8754/ timeout=600
ProxyPassReverse / https://localhost:8754/ timeout=600
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Credentials "true"
# Header edit Location ^http(\:\/\/.*)$ https$1
</VirtualHost>
Can anyone help us create a valid apache reverse proxy configuration that works with the CsrfPreventionRequestCycleListener without the http2 module?
I think I had a similar issue here and solved it just now. I think you might have solved your issue by now but maybe anyone else is falling over this topic.
You might want to look into a network dump to verify the problem. For me, apache sent requests to the locally running service (your case to http://localhost:8754) while some request headers were still referring the public name https://example.com. This was detected as a security risk and the connection refused by the underlying service.
I made sure, that mod_headers was enabled in apache and added the line
RequestHeader edit Referer "https://example.com" "http://localhost:8754"
After that no more references to anything related to example.com was in my tcp dumps and the connection was opened successfully.
You might need to adopt according to your setup (maybe you need multiple headers corrected or something similar). I cannot try it out at the moment.

Apache 2.4 issue on proxypass balancing on two BalancerMember [Weblogic 12c]

I have an Apache 2.4.12 on a dedicated machine (RedHat 6.x) that must balance on another machine with two Weblogic Managed Servers (port: 9101 and 9102. Weblogic 12c on RedHat 6.x) where I have deployed the application "Pega".
I have implemented the configuration below on the Apache VirtualHost (myvirtualhost.conf) but if I have both BalancerMember active it doesn't work. If I comment one of the two BalancerMember it works fine.
Do you have any suggestion to fix it?
thanks in advance for your collaboration
<VirtualHost myvirtualhost:443>
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProtocol all -SSLv2
#Server certificate
SSLCertificateFile /opt/rh/httpd24/root/etc/httpd/ssl/xxx.cer
#chiave privata del server:
SSLCertificateKeyFile /opt/rh/httpd24/root/etc/httpd/ssl/xxx.key
#chain del certificato del server:
SSLCertificateChainFile /opt/rh/httpd24/root/etc/httpd/ssl/xxx.crt
#Certificate Authority (CA):
#SSLCACertificateFile /opt/rh/httpd24/root/etc/httpd/ssl/xxx.crt
################################
<Proxy balancer://mybalancing>
BalancerMember https://myweblogicserver:9101
BalancerMember https://myweblogicserver:9102
</Proxy>
ProxyRequests on
ProxyPreserveHost on
##########Disable URL ############
ProxyPass /myexcludedpath !
##################################
ProxyPass "/" "balancer://mybalancing/"
ProxyPassReverse "/" "balancer://mybalancing/"
</VirtualHost>
Edit:
Yes i set correctly parameters.
I reach the login page (both when it works and when it doesn't) but when it doesn't work, if i enter my credential, i see:
Status fail
Message There has been an issue; please consult your system administrator
Operator ID Unauthenticated or not available
Requestor ID No ID available
Timestamp Thu Feb 25 12:37:36 CET 2016
Engine Version PegaRULES 7.10 ML9 (coreAssemblyCached_719_730)
But if i comment one of the BalancerMember:
<Proxy balancer://mybalancing>
# BalancerMember https://myweblogicserver:9101
BalancerMember https://myweblogicserver:9102
</Proxy>
It works fine.
So i guess i miss something in the declaration of 'balancer' , or maybe i miss some directive..
Any suggestion would be really appreciated.
Thanks
EDIT2:
Yes the session replication works well between the two servers. I'm able to login using a direct URL to a server (actually a Node in a server, the machine is the same, what changes is the port : 9101 and 9102) and then switch the other server (other node) maintaining my current session..
I guess it's some directive of proxypass but its the first time i face it
To use the WebLogic Web Server plugins, these are the basic steps:
Download the .so file and copy to /etc/httpd/modules.
Create a file called /etc/httpd/conf.d/weblogic.conf with the following content:
LoadModule weblogic_module modules/mod_wl_24.so
<IfModule weblogic_module>
WebLogicCluster myweblogicserver:9101,myweblogicserver:9102
DebugConfigInfo ON
MatchExpression *
</IfModule>

How to implement a reverse proxy for one subdomain

I have a set of servers behind a firewall. It only supports port forwarding. So far all my subdomains (www., server., beta., cloud.) are all on one server (OS X Server).
I also have a dev. subdomain that is on a separate Freebsd server. form my internal network i can use my DNS to send traffic to the correct server for the dev. subdomain. but when i access from outside i cannot get to the dev server via port 80 as that port is forwarded to the main server.
Rather than using a none standard port I would like to reverse proxy back to the dev server from my main server but it looks like this is for URL's not for subdomains. Is there a way i can route all requests for dev.example.com to the internal development server via my main server.
Thanks..
Yes, that's a standard use case for all common rproxies, and you'll find almost ready to use examples in their respective documentations. With nginx the basic setup will look like this (put this a file in the enabled-sites subdirectory):
server {
# prod marked as default so lost traffic ends up on production
listen 192.168.0.1:80 default;
server_name production.your.domain;
access_log /var/log/nginx/production-access.log;
location / {
proxy_pass http://your.production.server:80;
}
}
server {
listen 192.168.0.1:80;
server_name dev.your.domain;
access_log /var/log/nginx/development-access.log;
location / {
proxy_pass http://your.development.server:80;
}
}
With Pound you could use something like
Service
HeadRequire "Host: .*production.your.domain.*"
BackEnd
Address your.production.server
Port 80
End
End
Service
HeadRequire "Host: .*dev.your.domain.*"
BackEnd
Address your.development.server
Port 80
End
End
# and a safety net for lost traffic
Service
URL "/"
Redirect "http://production.you.domain"
end;
Apache's mod_proxy is also possible, but due to lack of hands on experience with that combo I had to borrow an example from an Atlassian documentation webpage:
# Put this after the other LoadModule directives
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
# Put this with your other VirtualHosts, or at the bottom of the file
NameVirtualHost *
<VirtualHost *>
ServerName confluence.example.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://confluence-app-server.internal.example.com:8090/
ProxyPassReverse / http://confluence-app-server.internal.example.com:8090/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
<VirtualHost *>
ServerName jira.example.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://jira-app-server.internal.example.com:8080/
ProxyPassReverse / http://jira-app-server.internal.example.com:8080/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>