I configured my apache so that it can forward my requests to external URL like google.com, but the reverse proxy doesn't work.
<VirtualHost *:443>
ServerName authtest.com
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order allow,deny
Allow from All
</Proxy>
<LocationMatch "/google">
ProxyPass https://www.google.com/
ProxyPassReverse https://www.google.com/
</LocationMatch>
</VirtualHost>
Is it possible for me to reverse proxy external websites?
Is it possible for me to reverse proxy external websites?
Yes but with significant downsides.
Note: when I tried your configuration, I got SSL Proxy requested for [...] but not enabled [Hint: SSLProxyEngine] in the logs so I added SSLProxyEngine on.
Host issue
When you make a HTTP/1.1 request to a server, you automatically add the hostname in the request. When you proxy them, you have two possibilites:
[browser] --(Host: authtest.com)--> [apache proxy] --(Host: authtest.com)--> Google
or
[browser] --(Host: authtest.com)--> [apache proxy] --(Host: google.com)--> Google
The first one is what you get with ProxyPreserveHost On. Google servers won't handle requests for authtest.com, you should remove this line.
Even in the second case, you can have issues. ProxyPassReverse will handle redirects but only for the given domain: I'm in France, google.com redirects me to google.fr (a different domain) and the reverse proxy doesn't rewrite the redirect.
An other issue is the referer: if a service sees requests for images/css/js coming from a different web site it may consider it as bandwidth leeching and block them. Now, you need to rewrite the html of the response too (mod_proxy_html will help but it's not a silver bullet).
Path issue
In your example, you proxy <authtest>/google to <google>/. Like above, you need to rewrite the html: absolute links/resources won't work unless your server adds /google everywhere. Same for relative links/resources (but with more edge cases). If you owned the backend server, you could have checked urls in html/css/js files. Here, if the url is built dynamically in the browser using js you can't do anything.
If you can proxy / to / (or /whatever to /whatever) you will avoid a lot of issues here.
Chech this GIT Repo
I forked a GIT Repo and customized it to work with scenario:
[browser] --(Host: google.local)--> [apache proxy] --(Host: google.nl)--> Google
The Apache config as follows:
<VirtualHost *:80>
ServerName google.local
SSLProxyEngine on
ProxyRequests Off
<Proxy *>
Order allow,deny
Allow from All
</Proxy>
ProxyPass / https://www.google.nl/
ProxyPassReverse / https://www.google.nl/
ErrorLog /var/log/apache2/google.local-error.log
CustomLog /var/log/apache2/google.local-access.log combined
</VirtualHost>
Related
I know, I know, Apache is not the best tool to use as HTTP proxy, however I need it on my server.
Here's my virtual host configuration:
<VirtualHost *:*>
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>
<VirtualHost *:80>
ServerName my.public.domain
Redirect / https://my.public.domain/
</VirtualHost>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:50001/
ProxyPassReverse / http://127.0.0.1:50001/
ServerName my.public.domain
ErrorLog ${APACHE_LOG_DIR}my-app-error.log
CustomLog ${APACHE_LOG_DIR}my-app-access.log common
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/my-cert/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my-cert/privkey.pem
</VirtualHost>
In UseUrls method i have http://localhost:50001 configured as main URL, and this is redirected by Apache to HTTPS #443.
It works as charm, however I see this in logs:
warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]
Failed to determine the https port for redirect.
In my configuration Apache handles https traffic, BTW, I can't communicate my app with Apache locally over HTTPS, it just doesn't work. I also think it's pointless to encrypt local internal traffic.
Unfortunately my solution requires some hacking to work 100% properly - I need to provide my public site URL in my app configuration - otherwise the app doesn't know what it's external address is. I mean - I build some links manually, because this is the core of my question - I don't know where the framework would keep such information. For example NavigationManager thinks my site URL is "http://localhost:50001", so if I need absolute URL in my app I can't use NavigationManager directly, I need to "manually" create the URL in app.
Links generated by Identity have "http" instead of "https", but it works because apache redirects everything to https.
Is there a way (and HOW) to do it more properly - a mean to officially tell the AspNET.Core it has specific external URL?
Where you have ServerName my.public.domain, use the following:
For port 80:
ServerName http://my.public.domain:80
For port 443:
ServerName https://my.public.domain:443
Recently, I was in need of using both Apache and Tomcat together in which Apache was to be used as the reverse proxy to forward requests to port 80 to localhost:8080 which I did like this:
<VirtualHost *:*>
ProxyPass / http://localhost:8080/app/
</VirtualHost>
And it works perfectly well.
Now, what I need to do is: I have Tomcat listening and serving on another port 8082. I need to be able to access it using www.mydomain.com:8082. I tried:
<VirtualHost *:8082>
ProxyPass / http://localhost:8082/app/
</VirtualHost>
But no luck. And I can't listen on 8082 because Tomcat is doing that.
What you have above is a (failed) attempt to map the / URL space into two different places. That's never going to work.
When proxying to Tomcat, it's never a good idea to rewrite URL paths (e.g. / -> /app/ because Tomcat is going to get all kinds of confused. It's much better to map individual applications:
<VirtualHost *:*>
ProxyPass /app1/ http://localhost:8080/app1/
ProxyPass /app2/ http://localhost:8080/app2/
ProxyPass /app3/ http://localhost:8082/app3/
ProxyPass /app4/ http://localhost:8082/app4/
# If you need a fall-back application for `/`, just map it last.
ProxyPass / http://localhost:8080/
</VirtualHost>
Note that the last line up there is mapping / to Tomcat's ROOT context (mounted on /'). Don't do this any other way, or you'll spend years trying to make everything work when you could have just done it the recommended way.
I want to proxy a website – let’s call it “APP” - through Apache 2.4 using two different reverse proxies with different host names (virtual hosts). Let’s call those proxies “Alfa” and “Beta”. I want Alfa to be the “public proxy” which will show the normal version of the website. The Beta proxy will limit public access to certain client IPs, but here I want to show – on top of each page of the website – some type of sensitive information. Let’s call those portions of sensitive information “SENS”.
Here’s my current apache config.
Listen 443
NameVirtualHost *:443
SSLStrictSNIVHostCheck off
## Virtual host for the Alfa Proxy
<VirtualHost *:443>
ServerName alfa.mysite.org
RewriteEngine On
<Location /app/>
ProxyPass http://x.x.x.x:8080/app/
ProxyPassReverse http://x.x.x.x:8080/app/
</Location>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/alfa.crt
SSLCertificateKeyFile conf/alfa.key
</VirtualHost>
## Virtual host for the Beta Proxy
<VirtualHost *:443>
ServerName beta.mysite.org
RewriteEngine On
<Location /app/>
Require ip 192.168.0
ProxyPass http://x.x.x.x:8080/app/
ProxyPassReverse http://x.x.x.x:8080/app/
</Location>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/beta.crt
SSLCertificateKeyFile conf/beta.key
</VirtualHost>
In order to show SENS only to the users of Beta, I need to programmatically detect which proxy requests come from. Now, I’ve looked into the use of Reverse Proxy Request Headers such as “X-Forwarded-Server”. Let’s say I define some kind of security filter in APP (e.g Spring Filter) that allows SENS to be rendered on page only if X-Forwarded-Server equals “beta.mysite.org”. This should work just fine.
But my question is this: Can I be sure not some kind of tampering with the proxy headers occur that would allow users of the alfa.mysite.org actually view the SENS-portions of my website?
If so, are there any other ways of doing this a “secure manner”.
Having two different versions of APP or deploying APP on two different containers is something I want to avoid here.
Any comments or suggestions are appreciated.
According to the Apache documentation, the x-forwarded-server header can be a comma separated list when multiple proxies are used. So I wouldn't consider it safe from a security point of view.
Under the assumption that your backend server is not directly access, you could try the following.
Set your own HTTP Header which value changes depending on which VirtualHost it passes.
You only have to check then for the existence of the header in the backend.
ServerName alfa.mysite.org
RewriteEngine On
<Location /app/>
#Set - The request header is set, replacing any previous header with this name
RequestHeader set MyCustomHeader "remote"
</Location>
ServerName beta.mysite.org
RewriteEngine On
<Location /app/>
Require ip 192.168.0
#The request header is set, replacing any previous header with this name
RequestHeader set MyCustomHeader "local"
..
</Location>
I've been working on a Perl Mojolicious project that uses websockets. I'm wanting to launch it on a shared server running apache and use proxyPass and proxyPassReverse to make the url prettier for my Mojolicious code running with Hypnotoad.
I have it set up as follows.
Apache url:
mydomain.com
Hypnotoad url:
mydomain.com:8080
With the following apache entry I can reverse proxy the Hypnotoad server to
project.mydomain.com
apache.conf entry
<VirtualHost *:80>
ServerName project.mydomain.com
DocumentRoot /var/www/project
<Directory /var/www/project/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://mydomain.com:8080/ keepalive=On
ProxyPassReverse / http://mydomain.com:8080/
RequestHeader set X-Forwarded-HTTPS "0"
</VirtualHost>
However my websocket requests give a 404 error when I use:
ws://project.mydomain.com/get-data
and a 302 error when I use:
ws://mydomain.com:8080/get-data
I guess this wouldn't be a problem is the websocket didn't check for authentication, but they use Mojolicious routes to check that you can post via the websocket.
From what I can see Apache doesn't support reverse proxying websockets. In apache/httpd conf files.
Has anyone found a usable solution to this using Apache that is stable for a production environment?
In March a patch was committed to the Apache trunk by Jim Jagielski which allows websockets to be proxied correctly. The patch adds a new submodule called proxy_wstunnel which allows mod_proxy to work with the "ws" and "wss" protocols.
The module is not yet in any official Apache releases (as of June 8th 2013), so you will need to compile it yourself. Voyageur's blog describes the process for Apache 2.2, but it should be easier for Apache 2.4
Apache httpd 2.4.6 includes proxying websocket requests.
What I'm basically trying to accomplish is having my main website running a CMS written in Go. This will be located at www.example.com.
I also have applications written in PHP located in directories, such as www.example.com/clients/
How can I serve example.com/clients using Apache/PHP while serving example.com using Go built-in web server?
Via mod_proxy in Apache2, you can proxy different paths into different destinations at localhost or anywhere else accessible by your server, including within your local network (if your server can access it).
For this you would use ProxyPass (Apache2 Docs for ProxyPass, which is very useful reading) like the example below:
<VirtualHost *:80>
ServerName some.example.host.xyz
DocumentRoot /var/www/your-document-root
Alias /clients/ /var/www/clients/
ProxyPass /clients/ !
ScriptAlias /something-using-cgi/ /var/www/cgi-stuff/
ProxyPass /something-using-cgi/ !
ProxyPreserveHost On
ProxyPass / http://localhost:9876/
ProxyPassReverse / http://localhost:9876/
ProxyPass /elsewhere/ http://elsewhere.example.host.xyz:1234/
ProxyPassReverse /elsewhere/ http://elsewhere.example.host.xyz:1234/
</VirtualHost>
You'll want to be sure that you set your proxy security such that external users can't use your reverse proxy as a forward proxy, too. You can do that via ProxyRequests as described in the official Apache2 docs. The way I did this on a server is to put this in your server-wide config (you should verify on your own that this is secure enough):
# disables forward proxy
ProxyRequests Off
Andrew Gerrand has a good blog post about this for nginx but the principle is the same for Apache.
You want to set up Apache as a reverse proxy for requests coming in for the Go application.
For Apache you want to look at mod_proxy