Why following proxy does not bypass X-Frame-Options header? - apache

I need to show some sites in a iframe and I cannot do that directly as some of those sites have the header X-Frame-Options set to 'SAMEORIGIN'. As a way to bypass this I tried using an reverse proxy in apache. Below is the my apache configuration
<VirtualHost *:80>
ServerName google.local
ProxyRequests Off
DocumentRoot /var/www/html/iframe-test
ProxyPass /test http://www.oracle.com/index.html
ProxyPassReverse /test http://www.oracle.com/index.html
ErrorLog /var/log/apache2/google.local-error.log
CustomLog /var/log/apache2/google.local-access.log combined
<Location *>
AllowOverride All
Order allow,deny
Allow from all
# Header always append X-Frame-Options "ALLOW-FROM all"
Header add test-header 'test'
</Location>
But still I cannot load the site in iframe and I am getting the error Load denied by X-Frame-Options: https://www.oracle.com/index.html does not permit cross-origin framing.

The issue with the above configuration was that the proxy only worked for http protocol. But as seen in the console error message the external site actually redirect http to https automatically.
So to handle the https requests all it was needed to enable ssl in apache and turn on SSLProxyEngine. To do that,
run sudo a2enmod ssl on terminal
add the line 'SSLProxyEngine On' to the above config
<VirtualHost *:80>
ServerName google.local
ProxyRequests On
ProxyPreserveHost Off
SSLProxyEngine On
DocumentRoot /var/www/html/iframe-test
ProxyPass /test http://www.oracle.com/index.html
ProxyPassReverse /test http://www.oracle.com/index.html
ErrorLog /var/log/apache2/google.local-error.log
CustomLog /var/log/apache2/google.local-access.log combined
<Location *>
AllowOverride All
Order allow,deny
Allow from all
# Header always append X-Frame-Options "ALLOW-FROM all"
Header add test-header 'test'
</Location>
</VirtualHost>

Related

Apache reverse proxy error on firefox : SSL_ERROR_RX_RECORD_TOO_LONG

I'm stuck with my Apache config
Situation
I have a Node chat web app and a phpmyadmin running on the same debian VPS server. Node runs on :3000 and phpmyadmin on :443.
The server base url on :443 is currently displaying phpmyadmin login page and the chat app can be accessed on IP:3000 (https)
Each have their own SSL cert and https is working without issues on both of them separately
Goal
What I'm trying to do is setup an Apache reverse proxy to forward requests from a a clean url (like chat.domain.com) to my Node app while keeping phpmyadmin on it's own dedicated subdomain (vps.domain.com).
like so :
internet (chat.domain.com on :443) -> reverse proxy -> node app running on :3000
internet (vps.domain.com on :443) -> reverse proxy -> phpmyadmin
Issue
Redirection does not work at all.
Firefox shows an error page with SSL_ERROR_RX_RECORD_TOO_LONG (ERR_SSL_PROTOCOL_ERROR on Chrome). As far as I understand it is telling me that I can't redirect to a service running on a different port than :443
I need secure https for both of my services (phpmadmin and chat) but can only run one of them on :443 since one is Apache and the other is Node. They each have their own routing system.
What I've considered
I'm not sure if what I'm trying to do is possible with Apache and this setup. I'd like to run my main app on :443 but then PMA would have to be moved to another port and. Alternatively I could run several servers for cleaner separation of services. I could also use Docker containers, but I don't think this should be necessary here.
Not sure which solution is the most appropriate. I just wanted to do some basic redirections.
Setup config :
Including relevant information about my config in this section.
Apache version : Apache/2.4.53 (Debian)
rewrite and proxy mods are enabled
apachectl configtest -> Syntax OK
vHosts :
default http -> https redirection
# 000-default.conf
VirtualHost *:80>
ServerName default.domain.me
Redirect / https://localhost:443
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
reverse proxy vhost
# reverse_proxy.conf
<VirtualHost chat.domain.me:443>
ServerName rproxy.domain.me
# ProxyPreserveHost On
ProxyRequests Off
# chat
ProxyPass / https://localhost:3000/
ProxyPassReverse / https://localhost:3000/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
PMA vhost
# phpmyadmin.conf
<VirtualHost _default_:443>
ServerName phpmyadmin.domain.me
DocumentRoot /usr/share/phpmyadmin
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/vps.domain.me/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vps.domain.me/privkey.pem
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=63072000"
# Alias /phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
Require all granted
# limit libapache2-mod-php to files and directories necessary by pma
<IfModule mod_php7.c>
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir /usr/share/phpmyadmin/:/usr/share/doc/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/:/usr/share/javascript/
</IfModule>
</Directory>
# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
Require all denied
</Directory>
ErrorLog ${APACHE_LOG_DIR}/phpmyadmin/error.log
CustomLog ${APACHE_LOG_DIR}/phpmyadmin/access.log combined
</VirtualHost>
# intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite # don't know if secret. didn't include.
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
Let me give you some possible solutions.
1)Changing the virtual host tag, ie, from <VirtualHost chat.domain.me:443> to <VirtualHost _default_:443>
2)setting the ports.conf file as follows
Listen 80
Listen 443 https
execute a2ensite default-ssl
Finally let me give you one of example that I have
ServerName abc.com
ServerAdmin webmaster#abc.com
<Proxy *>
Require all granted
</Proxy>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8181/
ProxyPassReverse / http://127.0.0.1:8181/
ErrorLog ${APACHE_LOG_DIR}/abc.com.error.log
CustomLog ${APACHE_LOG_DIR}/abc.com.access.log combined
SSLCertificateFile /etc/letsencrypt/live/abc.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/abc.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

allow-origin not working for multiple domains on apache2

I am trying to allow only certain domains to access the source. When I am inserting
Header Set Access-Control-Allow-Origin "domain.tld" it works perfectly.
When I try it for multiple domains, it does the opposite. It allows any domain but not cors.domain.tld:
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:9090/
ProxyPassReverse / http://localhost:9090/
ServerName map.domain.tld
ServerAlias map.domain.tld
<Proxy *>
SetEnvIf Origin "http(s)?://(www\.)?(cors.domain.tld|staging.google.com)$" AccessControlAllowOrigin=$0
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header merge Vary Origin
Order allow,deny
Allow from all
</Proxy>
</VirtualHost>
What do I do wrong?
Thanks!
I figured it out, I had to set --no-cors on the my docker image, where I proxy the domain to. Now it works fine.

Not Able to Set HeaderRequest with httpd on Amazon Linux behind Load Balancer

We have a configuration where we front the server with EC2 Load Balancer. Because of that, it seems that the "Host" is not properly set when it reaches the server. Because of that we are trying to set the value using the proxy, but it doesn't seem to be working. Below is the configuration:
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin admin#test.com
DocumentRoot "/mnt/dataebs/apache/test"
ServerName www.test.com
ServerAlias www.test.com
ErrorLog "/mnt/dataebs/apache/test-error.log"
CustomLog "/mnt/dataebs/apache/test-access.log" common
<Directory "/mnt/dataebs/apache/test">
Options Indexes FollowSymLinks Includes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
RequestHeader set Host "www.test.com"
RequestHeader set Accept-Encoding "gzip, deflate"
ProxyPass /fabric http://<ip_address>/fabric
ProxyPassReverse /fabric http://<ip_address>/fabric
ProxyPassReverseCookiePath / /
</VirtualHost>
I have looked around for potential solution, but so far I haven't found one that actually solved the problem. I have also doubled checked to make sure mod_headers is enable:
$ httpd -t -D DUMP_MODULES | grep header
Syntax OK
headers_module (shared)
Is there something else we need to include in the configuration? How do you normally deal with this kind of case where the server is fronted by a load balancer?
There is a specific directive in mod_proxy for that called:
ProxyPreserveHost
Just define it and set it to "on"

Apache virtual host + reverse proxy conflict

I have a server running ubuntu+apache. I have a website running (old ipython notebook with a multiuser-hack) that can be accessed through xxx.xx.xx.xx (=:myip). The corresponding apache configuration called sins.conf looks like this:
<VirtualHost *:80>
ServerName ipython.local-server
ServerAlias
WSGIDaemonProcess ipythonapp2 user=www-data group=www-data processes=2 threads=5\
python-path=/home/sins/ilmrt/lib/python2.7/site-packages
WSGIScriptAlias / /home/sins/ilmrt/ipysite/wsgi.py
<Directory /home/sins/ilmrt/ipysite>
#WSGIProcessGroup ipythonapp2
WSGIApplicationGroup %{GLOBAL}
Require all granted
Allow from all
</Directory>
Alias /static/ /home/sins/ilmrt/ipysite/static/
<Location "/static/">
Options -Indexes
</Location>
</VirtualHost>
and works perfectly.
Now, since I'm about to run a new website (jupyterhub) with reverse proxy in addition, I setup a new apache configuration called jupyterhub.conf:
ProxyPass / http://localhost:9111/
ProxyPassReverse / http://localhost:9111/
Header edit Origin http://myip:9111/ localhost:9111
RequestHeader edit Origin http://myip:9111 localhost:9111
Header edit Referer http://myip:9111 localhost:9111
RequestHeader edit Referer http://myip:9111 localhost:9111
<Location ~ "/(user/[^/]*)/(api/kernels/[^/]+/channels|terminals/websocket)/?">
ProxyPass ws://localhost:9111
ProxyPassReverse ws://localhost:9111
</Location>
If i run sudo a2ensite jupyterhub and sudo service apache2 reload, the new website works as expected under http://myip:9111. However, the old website with the address http://myip shows Service Unavailable.
I don't understand what I need to change to make both sites working at the same time. Any help?
EDIT:
I believe I need to put the jupyterhub configuration inside a <VirtualHost *:9111>, but if I start the jupyterhub server it says
Proxy appears to be running at http://myip:9111, but I can't access it. Connection refused.
Okay, so the trick was as I assumed: It needs to be put in a VirtualHost.
For some reason I initially put a Listen 9111 in front of the config-code below, which is why it blocked something..Here's the code in case anyone is interested:
<VirtualHost *:9111>
ProxyPass / http://localhost:9111/
ProxyPassReverse / http://localhost:9111/
Header edit Origin http://myip:9111/ localhost:9111
RequestHeader edit Origin http://myip:9111 localhost:9111
Header edit Referer http://myip:9111 localhost:9111
RequestHeader edit Referer http://myip:9111 localhost:9111
<Location ~ "/(user/[^/]*)/(api/kernels/[^/]+/channels|terminals/websocket)/?">
ProxyPass ws://localhost:9111
ProxyPassReverse ws://localhost:9111
</Location>
LogLevel debug
</VirtualHost>

Reverse proxy: unwanted URL change

I have a web-service that I would like to expose through the URL foo.com/bar.
However my Apache reverse proxy does not work as intended.
I have created the file 001-default.conf, which contains the following code:
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
ProxyPass /bar http://foo.com:8080/bar
ProxyPassReverse /bar foo.com:8080/bar
DocumentRoot /var/www/foo/
ServerName info.foo.com
<Directory /var/www/foo>
Options Indexes FollowSymLinks MultiViews Includes
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
Right now I receive a 404 error code.
I want to achieve all hits on foo.com/bar to be silently redirected to foo.com:8080/bar, meaning that the user should only see the URL foo.com/bar.
The reverse proxy redirect should also include requests such as foo.com/bar?=foobar.
I did enable proxy_http and proxy:
% sudo a2enmod proxy_http
Considering dependency proxy for proxy_http:
Module proxy already enabled
Module proxy_http already enabled
I hope that there is someone out there that are able to help me with this.
Similar problem that did not solve my problem:
apache reverse proxy changes url Transparent redirect to port 8080
Try and edit the config to:
<VirtualHost *:80>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPreserveHost On
ProxyRequests Off
ProxyPass /bar http://foo.com:8080 # Note removed /bar
ProxyPassReverse /bar foo.com:8080 # Note removed /bar
DocumentRoot /var/www/foo/
ServerName info.foo.com
<Directory /var/www/foo>
Options Indexes FollowSymLinks MultiViews Includes
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
You can also try with mod_alias to avoid te /bar/bar issue you might be facing now.
I do not know much about it, see the documentation: http://httpd.apache.org/docs/2.2/mod/mod_alias.html
Try something like adding this to your conf
Alias /bar http://foo.com:8080
Using this you might wan't to remove the proxy.