Scenario is such that the Apache Http Server will act as a reverse proxy and sit in front of the main application server. In the application server the client IP address needs to be logged.
My requirement is to capture the client IP address and then add this IP address as a custom request header (e.g. TRUEIP=123.123.123.123) and forward it to the application server.
Please note I have read articles about logging the original client IP to the apache logs. But my requirement to access the IP address and add it to a header.
Also I did try to access the environment variables using "%{h}i" or "%{h}e" but in this case the header value was displayed as "i=18" (without the quotes). In fact the header value was printed the same "i=18" for User-Agent, Referer also.
Please help my out with a solution.
I use Apache 2.4.28 (from apache lounge) on windows 7. The application server used in Oracle OC4J (but I need to do configurations at Apache end only as application can be different in different environments).
Something along the lines of:
RequestHeader set TRUEIP "%{REMOTE_ADDR}s"
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
Related
I'm trying to create a proxy on my Apache2 web server. It's not really pertinent to the question, but I have a Raspberry Pi running a music player with an HTTP interface attached to an unrestricted internet connection. I want to be able to control the music from a work machine which is behind a content filter that blocks Spotify.
Client ---> Content Filter ----> My proxy ---> Unblocked target server
|
|
/
Blocked content
I want clients to be able to connect to my proxy server and view the pages on my unblocked target server. I am currently able to do this using the following code in my VirtualHost section:
<Location "/foo">
ProxyPass "http://targetserver/bar"
Order allow,deny
Allow from all
</Location>
This allows me to see the page when I visit http://myproxy/foo but it doesn't load completely. I know that this is from content that is being blocked by a content filter that I cannot influence.
How do I configure my Apache2 proxy server to also forward the content that the client would normally receive from external servers? I want my proxy server to provide all the content to the client for this web interface opaquely.
Thanks in advance for your time.
Solved it!
I needed to proxy the websockets as well. Adding the following lines worked:
ProxyPass /foo/ ws://targetserver/bar/
ProxyPassReverse /foo/ ws://targetserver/bar/
URL (https://xyz.abc.com/cc) when load balancer see /cc it will forward request to WebSeal (Revers Proxy server).
WebSeal add/set (Header Host : xyz.abc.com) and forward request to Apache2 (web server). In web seal we have standard junction (/cc) which will process the request from LB.
When request comes to Apache2 it loosing HOST header value (xyz.abc.com) and reset it to Apache2 server name (xyzapacheweb1)
Now finally request pass from apache2 to Liferay Portal (6.2) and it showing URL (xyzapacheweb1) instead of (xyz.abc.com)
Liferay need HOST name when web server fronting so we have to hard code URL (in property file or in apache2)
We want to remove Hard-Code value and pass dynamic host name so we can use multiple URLs for individual applications.
Note : When we don't have WebSeal in picture it preserve the HOST name. i.e. Apache2 show actual domain name (xyz.abc.com)
Can you please help me to resolve this problem?
Let me know if you need more info.
If you're using mod_proxy to forward from apache to tomcat you're missing the option
ProxyPreserveHost On
This is because of forwarding through http. If you're using ajp this is automatically taken care of for you by the protocol.
I'm not sure of the equivalent option for webseal though, maybe the apache one helps you to find it
I came up with two solutions.
Temporary :
Set custom header attribute in request from WebSeal i.e. domain-host-name. From LB -> WebSeal set the host value to this variable.
Apache web server is able to retrieve this value because it's not default request header. Based on the domain-host-name value Set Header HOST value from Apache webserver for Liferay.
remove web.server.host.name property in Liferay it will automatically get the HOST value (which was set by Apache).
Set xyz.abc.com if domain-host-name is set to xyz.abc.com
SetEnvIf domain-host xyz.abc.com HAVE_MyRequestHeader
RequestHeader set Host xyz.abc.com env=HAVE_MyRequestHeader
Set abc.xyz.com if domain-host-name is set to abc.xyz.com
SetEnvIf domain-host abc.xyz.com HAVE_MyRequestHeader_1
RequestHeader set Host abc.xyz.com env=HAVE_MyRequestHeader_1
This is a temporary solution because here we have to hardcode host name check in Apache. So if there is new URL then you have to configure it in Apache.
Permanent :
WebSeal has Virtual Junction concept. Where webseal can be configure to play virtual hosting role.
Please refer : http://www-01.ibm.com/support/knowledgecenter/SSPREK_6.1.1/com.ibm.itame.doc_6.1.1/am611_webseal_admin642.htm%23vhost-scenario1?lang=en
Let me know if you are facing similar type issue I can help to resolve it.
I've successfully configured Apache to listen over SSL/443 and proxy Tomcat listening on HTTP/8080. I have also set up basic authentication in Apache.
Once the user connects to my Tomcat servlet, will the HttpServletRequest.getRemoteUser() be populated or null. If null, how might I get the remote user?
The simplest solution may be to use mod_proxy_ajp, which in addition to proxying requests also transfers a variety of metadata to Tomcat, including authentication information such as REMOTE_USER.
These docs for Alfresco discuss this configuration, which includes changes on both the Tomcat side (so that it knows to trust the forwarded authentication) and the Apache side.
If you're using a generic http proxy like mod_proxy, you would need to arrange for Apache to add the value of REMOTE_USER to the request (possibly as an X- header), and then arrange for your Tomcat application to recognize and trust that header (and you would obviously need to arrange for your front-end proxy to strip that header from any incoming requests).
I don't know how you would do this on the tomcat side, but this post seems to have some suggestions.
I needed to add
<Location />
Order allow,deny
Allow from all
RequestHeader unset Authorization
</Location>
to the wrapping location, the RequestHeader being the specialty that fixed it.
I found this (again) via http://codeblow.com/questions/remove-fundamental-authentication-header-with-apache-mod-proxy/ - don't know where I originally found it last year, it was a last measure for some security issue.
Tomcat in our application is considered back-and side and additionaly we have apache that fronting tomcat server as a reverse proxy and redirect requests to appropriate tomcat instance.
Now we need to set up HTTPS connection between apache proxy and tomcat for specific urls(Login, etc..). Tomcat documentation says that it's possible to achieve this with additional <Connector> within server.xml config.
In order to set up https over login page existing configuration with AJP protocol was replaced with the following:
ProxyPass /app/login/ https://127.0.0.1:6666/app/login/
All other urls specified like below:
ProxyPass /app/anyotherurl/ ajp://127.0.0.1:5555/app/anyotherurl/
With configuration below we expect that secure data (login/password) for login page will be encrypted and all other page will remain unchanged.
After the login apache should use normal ajp protocol because there is no sensetive information any more to protect. But it's not what actually happen in our case because for some reason apache is redirecting us to host specified in ProxyPass, namely to localhost.
This could happen due to the fact that our application while executing login logic on tomcat has two consecutive redirects.
We've tried to set ProxyPreserveHost on within virtual host to fix situation mentioned above, but we are not sure whether it is secure option and this one won't break another pages as well as we are not sure how it will work if tomcat will be located on other machine.
It would be good to know any other solution how such stuff can be applied internally for specific pages.
I have apache server on ubuntu 12.04 with virtual hosts and router forwarded 80 port to one of them. The directory is configured http-authentication. I need to provide authentication for the requests only when a request comes in the "outside", that is, only when the request comes through the external ip, and if I call from inside the network (or from the server at localhost), no authentication is required.
Thanks in advance for your help. Sorry for bad english.
You can use the allow from directive in conjunction with your http authentication directives in your httpd.conf file (or .htaccess file) to specify a range of IP addreses for which http authentication will not be required. See .htaccess / .htpasswd bypass if at a certain IP address for more info. Just specify your range of inside ip addresses in the allow from directive.