I have one URL configured on Apache. Here is configuration
<VirtualHost 192.168.1.82:443>
ServerName test.ex.com
Header always set Strict-transport-Security "max-age=63072000; includeSubDomain; preload"
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection: "1; mode=block"
ProxyRequests On
ProxyPass /cong http://192.168.4.185:8081/cong
ProxyPassReverse /cong http://192.168.4.185:8081/cong
ErrorLog logs/test.ex.com-error_log
CustomLog logs/test.ex.com-access_log common
SSLEngine on
SSLCertificateFile /etc/httpd/*.ex.com/36287365__.ex.com.cert
SSLCertificateKeyFile /etc/httpd/*.ex.com/36287365__.ex.com.key
Header add P3P "CP=\"NOI DSP COR CURa ADMa DEVa OUR IND OTC\""
</VirtualHost>
With above configurations, I am allowing all the request comes to https://test.ex.com/cong/. I want to restrict some specific request comes with string "getUserPattern" in request string like https://test.ex.com/cong/module/getUserPattern/final
Tried with ProxyBlock getUserPattern but didn't work. Is there any way/configuration to restrict such URLs at apache level only or redirect to https://test.ex.com/cong.
First, you probably want to disable forward (standard) proxy requests (Setting ProxyRequests to Off does not disable use of the ProxyPass directive):
ProxyRequests Off
If you want to redirect any request containing getUserPattern to https://test.ex.com/cong, add these two directives above your current ProxyPass rules:
RedirectMatch "getUserPattern" "https://test.ex.com/cong"
ProxyPassMatch "getUserPattern" !
Related
I configured Apache2 server and disabled the default config file (000-default.conf) and created and enabled my own config file.
Following is the content of my conf file:
<VirtualHost *:443>
ServerName xyz.somedomain.com
SSLUseStapling on
DocumentRoot /var/www/html/
ErrorLog /var/www/logs/error.log
CustomLog /var/www/logs/access.log combined
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/cert/some.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/somekey.pem
SSLProtocol All -SSLv2 -SSLv3
<Directory /var/www/html/>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>
<IfModule mod_dir.c>
DirectoryIndex index.php index.pl index.cgi index.html index.xhtml index.htm
</IfModule>
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy "same-origin"
Header unset X-Forwarded-Host
</VirtualHost>
The application is running fine. But if we change the host header and send request to my server (let's say if we change host header to bing.com), then also my server is responding to that request and redirecting to bing.com.
I read that I need to configure a catch all block, but I tried different methods, some of them breaks my website and some doesn't work. I have disabled .htaccess also.
Please let me know how should I proceed.
I tried adding catchall block mentioned as below, but this doesn't work:
<VirtualHost *:443>
ServerName catchall
<Location />
Order allow,deny
Deny from all
</Location>
</VirtualHost
I also tried rewrite rules as in my conf file in sites-available directory:
RewriteEngine on
RewriteCond %{SERVER_NAME} !xyz.somedomain.com
RewriteRule ^.(.*) - [L,F]
<If "%{HTTP_HOST} != 'xyz.somedomain.com'">
Deny from all
</If>
Ref link: https://www.middlewarebox.com/2020/07/http-host-header-injection-apache-24.html
None of them is working. Apache version is 2.4.41
In levels without StrictHostCheck where you're having trouble with virtual host (or other) methods, you could try:
RequestHeader set Host xyz.somedomain.com early
This should cause the server to act as if the client uses xyz.somedomain.com, even if they didn't.
I'm trying to understand what is going on with LocationMatch. Right now I have a Location similar to the following,
<Location "/context">
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
ProxyPass http://example.com/context retry=0 connectiontimeout=300 timeout=300
ProxyPassReverse http://example.com/context
</Location>
Next I change only Location to LocationMatch, as below, and that works fine.
<LocationMatch "/context">
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
ProxyPass http://example.com/context retry=0 connectiontimeout=300 timeout=300
ProxyPassReverse http://example.com/context
</LocationMatch>
But as soon as I introduce a regular expression this no longer matches correctly. For example, I want to match paths starting with /context,
<LocationMatch "^/context">
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
ProxyPass http://example.com/context retry=0 connectiontimeout=300 timeout=300
ProxyPassReverse http://example.com/context
</LocationMatch>
I've been through the documentation multiple times and can't seem to figure out why this regex doesn't match. I've also seen SOQs like Apache LocationMatch matching urls starting with... but this regex doesn't work. I have a single VirtualHost on a vanilla Ubuntu apache2 install with this single LocationMatch. The entire conf file looks like this,
ProxyRequests off
PassEnv HTTPD_SERVER_NAME HTTPD_SERVER_ADMIN SSL_CERTIFICATE_FILE SSL_CERTIFICATE_KEY_FILE
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile ${SSL_CERTIFICATE_FILE}
SSLCertificateKeyFile ${SSL_CERTIFICATE_KEY_FILE}
Protocols h2 http/1.1
ServerName ${HTTPD_SERVER_NAME}
ServerAdmin ${HTTPD_SERVER_ADMIN}
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Older versions
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
# Requires Apache >= 2.4.11
SSLSessionTickets Off
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
<LocationMatch "^/context">
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
ProxyPass http://example.com/context retry=0 connectiontimeout=300 timeout=300
ProxyPassReverse http://example.com/context
</LocationMatch>
</VirtualHost>
My question is, should <LocationMatch "^/context"> match URLs starting with /context? For example, https://mydomain/context? And if this should match, any idea what else could be interfering? I'm on version 2.4.41, but I've seen this behavior since at least 2.4.6. Thanks
According to the Apache docs on the ProxyPass directive:
When used inside a <Location> section, the first argument is omitted
and the local directory is obtained from the <Location>. The same will
occur inside a <LocationMatch> section; however, ProxyPass does not
interpret the regexp as such, so it is necessary to use ProxyPassMatch
in this situation instead.
If I understand this correctly, it's not that your <Location> regex is invalid, it's just that your <ProxyPass> doesn't interpret it as a regex. So use <ProxyPassMatch> instead.
Also, this SO question led me to some other pages which support the idea that <LocationMatch> and <ProxyPass> are incompatible with each other:
As indicated by this comment and this page, I need to replace
ProxyPass [with] ProxyPassMatch when using that inside a LocationMatch block
I tried to search between old questions but i didn't find how to figure out my issue
I have a LF site; all works pretty good; when i go on http://localhost:8080/ i have no problem and no error is shown on firebug and/or chrome console
I configured then, an Apache HTTP Server. All seems to me correct but when i try the URL http://localhost I see my site but some resources are not loaded. In chrome console (but also in firebug) I get the following error:
2(index):1 Font from origin 'http://localhost:8080' has been blocked
from loading by Cross-Origin Resource Sharing policy: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost' is therefore not allowed access.
I don't know how to figure out this issue. It seems to me an Apache configuration mistake.
This is my virtual host configuration:
<VirtualHost *:80>
#CORS
<Directory "/var/www/">
AllowOverride All
Order allow,deny
allow from all
</Directory>
# Always set these headers.
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
ProxyPass /c http://localhost:8080/c
ProxyPassReverse /c http://localhost:8080/c
ProxyPass /si http://localhost:8080/si
ProxyPassReverse /si http://localhost:8080/si
ProxyPass /image http://localhost:8080/image
ProxyPassReverse /image http://localhost:8080/image
ProxyPass /documents http://localhost:8080/documents
ProxyPassReverse /documents http://localhost:8080/documents
ProxyPass /html http://localhost:8080/html
ProxyPassReverse /html http://localhost:8080/html
ProxyPass /sprite http://localhost:8080/sprite
ProxyPassReverse /sprite http://localhost:8080/sprite
ProxyPass /combo http://localhost:8080/combo
ProxyPassReverse /combo http://localhost:8080/combo
ProxyPass / http://localhost:8080/web/mySimpleLog
ProxyPassReverse / http://localhost:8080/web/mySimpleLog
ErrorLog logs/mySimpleLog-error_log
CustomLog logs/mySimpleLog-access_log common
</VirtualHost>
It seems to me all correct... is there any other option i should put?
Do you have any idea where I'm wrong?
Thank you
Angelo
You're setting your CORS headers only on port 80, but the cross-origin part is from port 80 to port 8080 -- you should move the Header set ... outside of virtual host context or duplicate it in your 8080 vhost.
Question Description: I want to set my site "Access-Control-Allow-Origin", so I set it in apache's config (almost anywhere), but it's not working. I also set other headers for testing, but it's still not working too.
Apache version: 2.2.22
Apache modules: http://www.anwcl.com/test/show_modules.php
My target url:
http://www.anwcl.com/test/test_only_div.html
And it's linked to my local file:
e:\wamp\www\test\test_only_div.html
And here's my apache's configurations:
E:\wamp\bin\apache\apache2.2.22\conf\httpd.conf
...
LoadModule headers_module modules/mod_headers.so
...
Include conf/extra/httpd-vhosts.conf
...
E:\wamp\bin\apache\apache2.2.22\conf\extra\httpd-vhosts.conf
NameVirtualHost *:80
<VirtualHost *:80>
Header add Access-Control-Allow-Origin "*"
Header echo ^TS
Header add MyHeader "Hello Joe. It took %D microseconds for Apache to serve this request."
ServerAdmin xxx#gmail.com
DocumentRoot "E:/wamp/www/"
ServerName www.anwcl.com
ErrorLog "logs/xxx.log"
CustomLog "logs/xxx.log" common
<Directory "E:/wamp/www/">
Header add Access-Control-Allow-Origin "*"
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
E:\wamp\www\.htaccess
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
E:\wamp\www\test\.htaccess
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
And here's Wireshark's caps, there are no expected headers :
http://www.anwcl.com/question/apache-mod-headers-not-working.jpg
http://www.anwcl.com/question/apache-mod-headers-not-working-304.jpg
I also ran into this issue and fixed it when I realized I was modifying the wrong Virtual-host in my config file found here: /etc/apache2/sites-enabled/000-default.conf.
I was modifying the default VirtualHost config when I was using one with a different port.
<VirtualHost *:6000>
Header set Access-Control-Allow-Origin "*"
</VirtualHost>
I also ran into the error Dylan Maxey described and got around it by disabling the cache in the browser inspector:
Here is also a link to a site I found helpful:
https://enable-cors.org/server_apache.html
Check output of php_info() to see if mod_headers is loaded from your apache webserver.
The changes could have possibly taken place and you aren't seeing the changes within your browser. This is especially typical if you're serving static files like the images you're trying to alter the headers of.
You can even have chrome disable cache while viewing the page with the Javascript console open and still not see the changes take effect.
What you'll want to look for is the response code. If it's a 304, the server has recognized that your browser already has a valid representation of the requested file, and will serve that file. If it does, you will not see the headers you've added after your browser initially downloaded that page.
To see if this is the case, change the url to http://myexample.com/myimage.jpg?t=1, or any other random query parameter and see if that works.
For my case, adding the Header set "key" "value" did not work. I had to use RequestHeader set "key" "value" for the ProxyPass to send the header.
<VirtualHost *:443>
ServerName myserver.com
ServerAlias www.myserver.com
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8081/
ProxyPassReverse / http://127.0.0.1:8081/
RequestHeader set "X-Forwarded-Proto" "https"
#
# Setup SSL
#
# SSLProxyEngine on
SSLEngine on
SSLCertificateFile location-to-certificate.crt
SSLCertificateKeyFile location-to-private.key
SSLCertificateChainFile location-to-ca_bundle.crt
</VirtualHost>
I'm trying to configure Apache using mod_proxy to develop a Dart web app locally, but I can't seem to get it set up correctly.
In my httpd.conf I've enabled the following lines:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
Include conf/extra/httpd-vhosts.conf
In httpd-vhosts.conf I tried to set up what I needed, but it doesn't seem to be working. I've got a spring web app I'm running from Eclipse with Jetty. So that is on http://localhost:8080. Then I run Dart from the Dart Editor, and it ends up being on 127.0.0.1:3030 (although the total path of a request like "login" is: http://127.0.0.1:3030/C:/Users/CorayThan/dart/BlightedRealmUi/web/out/login).
Either way, I'm trying to get apache to redirect my requests from 127.0.0.1:3030 to localhost:8080. I've tried to do that like this in httpd-vhosts.conf:
<VirtualHost *:80>
ServerAdmin test#localhost
ServerName 127.0.0.1:3030
ProxyPass / http://localhost:8080
ProxyPassReverse / http://localhost:8080
ErrorLog "logs/proxy-error.log"
</VirtualHost>
But it doesn't seem to be working at all. Can anyone suggest how I can fix it, or suggest a better way to do this in the first place? (I don't want to use CORS or Jsonp, I just want an easy cross-browser compatible hack for development.)
I'm not sure you can do this, your VHost would have to listen on 3030, not 80 as you have above to perform the proxy function which it can't do as Dart is using this port, below is an extract from a Vhost file I use to proxy from Dartium to a CouchDb server to allow a browser based couchdb client access using CORS, this may not be what you want though :-
<VirtualHost *:8080>
<Proxy http://141.196.22.210:5984>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^OPTIONS
Header set Access-Control-Allow-Origin http://127.0.0.1:3030
Header set Access-Control-Allow-Credentials true
Header set Access-Control-Allow-Headers Content-Type
Header merge Access-Control-Allow-Headers Authorization
Header merge Access-Control-Allow-Headers Destination
Header set Access-Control-Allow-Methods GET
Header merge Access-Control-Allow-Methods POST
Header merge Access-Control-Allow-Methods PUT
Header merge Access-Control-Allow-Methods OPTIONS
Header merge Access-Control-Allow-Methods DELETE
Header merge Access-Control-Allow-Methods HEAD
Header merge Access-Control-Allow-Methods COPY
Header set Access-Control-Max-Age 3600
ProxyRequests off
ProxyPreserveHost Off
KeepAlive Off
ProxyPass / http://141.196.22.210:5984/ nocanon
ProxyPassReverse / http://141.196.22.210:5984/
</VirtualHost>
So, when my client app logs in to Couch it uses 141.196.22.210:8080.
I had the same problem and I solved it by creating a virtual host with a proxy for both tomcat and for the dart application. Roughly, here is my virtual host:
NameVirtualHost *:80
<VirtualHost *:80>
ServerName dartapp
<Location "/tomcat-application-context/">
ProxyPass "http://localhost:8080/tomcat-application-context/"
ProxyPassReverse "http://localhost:8080/tomcat-application-context/"
</Location>
<Location "/dart/">
ProxyPass "http://127.0.0.1:3030/"
ProxyPassReverse "http://127.0.0.1:3030"
</location>
</VirtualHost>
Normally when you "Run in Dartium" you'll access the app with the full path to your dart app:
http://127.0.0.1:3030/full/path/to/web/app.html
Instead, access your apache virtual host with your /full/path/to/web/app.html prefixed with your proxy location (i.e. /dart/full/path/to/web/app.html):
http://dartapp:80/dart/full/path/to/web/app.html