I currently starting a (Symfony2) project where I have to use a different port for HTTP-Communication of the REST-API (JSON/XML) then the normal HTML-Content.
Is this possible? And what is the best practice? Can this be solved by (Symfony-) routing? Goal is to provide the REST-API just for "internal" use (traffic coming from an internal ethernet-connection) and to "block" traffic which comes from a external connection.
Additional info:
I add a route /api/user e.g. for the User Rest API and /api/projects for the Project Rest API.
Can I do something like?
<VirtualHost *:81>
DocumentRoot /var/www/html/[Symfony-Folder]/web/api
</VirtualHost>
maybe you can try in your apache config to match your mydomain.tld/api route to a different port.
Also in your config file you can configure défault port like this :
# router configuration
router:
...
http_port: 81
But I don't know if you can define a port for different routes but maybe you can take a look on the router configuration.
You can do something like this I think :
<VirtualHost *:80>
ServerName mydomain.tld/api
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:81/
ProxyPassReverse / http://localhost:81/
</VirtualHost>
You listen on the port 80 but you redirect the traffic who match the /api path to a different port.
Related
I know, I know, Apache is not the best tool to use as HTTP proxy, however I need it on my server.
Here's my virtual host configuration:
<VirtualHost *:*>
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>
<VirtualHost *:80>
ServerName my.public.domain
Redirect / https://my.public.domain/
</VirtualHost>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:50001/
ProxyPassReverse / http://127.0.0.1:50001/
ServerName my.public.domain
ErrorLog ${APACHE_LOG_DIR}my-app-error.log
CustomLog ${APACHE_LOG_DIR}my-app-access.log common
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/my-cert/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my-cert/privkey.pem
</VirtualHost>
In UseUrls method i have http://localhost:50001 configured as main URL, and this is redirected by Apache to HTTPS #443.
It works as charm, however I see this in logs:
warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]
Failed to determine the https port for redirect.
In my configuration Apache handles https traffic, BTW, I can't communicate my app with Apache locally over HTTPS, it just doesn't work. I also think it's pointless to encrypt local internal traffic.
Unfortunately my solution requires some hacking to work 100% properly - I need to provide my public site URL in my app configuration - otherwise the app doesn't know what it's external address is. I mean - I build some links manually, because this is the core of my question - I don't know where the framework would keep such information. For example NavigationManager thinks my site URL is "http://localhost:50001", so if I need absolute URL in my app I can't use NavigationManager directly, I need to "manually" create the URL in app.
Links generated by Identity have "http" instead of "https", but it works because apache redirects everything to https.
Is there a way (and HOW) to do it more properly - a mean to officially tell the AspNET.Core it has specific external URL?
Where you have ServerName my.public.domain, use the following:
For port 80:
ServerName http://my.public.domain:80
For port 443:
ServerName https://my.public.domain:443
Recently, I was in need of using both Apache and Tomcat together in which Apache was to be used as the reverse proxy to forward requests to port 80 to localhost:8080 which I did like this:
<VirtualHost *:*>
ProxyPass / http://localhost:8080/app/
</VirtualHost>
And it works perfectly well.
Now, what I need to do is: I have Tomcat listening and serving on another port 8082. I need to be able to access it using www.mydomain.com:8082. I tried:
<VirtualHost *:8082>
ProxyPass / http://localhost:8082/app/
</VirtualHost>
But no luck. And I can't listen on 8082 because Tomcat is doing that.
What you have above is a (failed) attempt to map the / URL space into two different places. That's never going to work.
When proxying to Tomcat, it's never a good idea to rewrite URL paths (e.g. / -> /app/ because Tomcat is going to get all kinds of confused. It's much better to map individual applications:
<VirtualHost *:*>
ProxyPass /app1/ http://localhost:8080/app1/
ProxyPass /app2/ http://localhost:8080/app2/
ProxyPass /app3/ http://localhost:8082/app3/
ProxyPass /app4/ http://localhost:8082/app4/
# If you need a fall-back application for `/`, just map it last.
ProxyPass / http://localhost:8080/
</VirtualHost>
Note that the last line up there is mapping / to Tomcat's ROOT context (mounted on /'). Don't do this any other way, or you'll spend years trying to make everything work when you could have just done it the recommended way.
I configured my apache so that it can forward my requests to external URL like google.com, but the reverse proxy doesn't work.
<VirtualHost *:443>
ServerName authtest.com
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order allow,deny
Allow from All
</Proxy>
<LocationMatch "/google">
ProxyPass https://www.google.com/
ProxyPassReverse https://www.google.com/
</LocationMatch>
</VirtualHost>
Is it possible for me to reverse proxy external websites?
Is it possible for me to reverse proxy external websites?
Yes but with significant downsides.
Note: when I tried your configuration, I got SSL Proxy requested for [...] but not enabled [Hint: SSLProxyEngine] in the logs so I added SSLProxyEngine on.
Host issue
When you make a HTTP/1.1 request to a server, you automatically add the hostname in the request. When you proxy them, you have two possibilites:
[browser] --(Host: authtest.com)--> [apache proxy] --(Host: authtest.com)--> Google
or
[browser] --(Host: authtest.com)--> [apache proxy] --(Host: google.com)--> Google
The first one is what you get with ProxyPreserveHost On. Google servers won't handle requests for authtest.com, you should remove this line.
Even in the second case, you can have issues. ProxyPassReverse will handle redirects but only for the given domain: I'm in France, google.com redirects me to google.fr (a different domain) and the reverse proxy doesn't rewrite the redirect.
An other issue is the referer: if a service sees requests for images/css/js coming from a different web site it may consider it as bandwidth leeching and block them. Now, you need to rewrite the html of the response too (mod_proxy_html will help but it's not a silver bullet).
Path issue
In your example, you proxy <authtest>/google to <google>/. Like above, you need to rewrite the html: absolute links/resources won't work unless your server adds /google everywhere. Same for relative links/resources (but with more edge cases). If you owned the backend server, you could have checked urls in html/css/js files. Here, if the url is built dynamically in the browser using js you can't do anything.
If you can proxy / to / (or /whatever to /whatever) you will avoid a lot of issues here.
Chech this GIT Repo
I forked a GIT Repo and customized it to work with scenario:
[browser] --(Host: google.local)--> [apache proxy] --(Host: google.nl)--> Google
The Apache config as follows:
<VirtualHost *:80>
ServerName google.local
SSLProxyEngine on
ProxyRequests Off
<Proxy *>
Order allow,deny
Allow from All
</Proxy>
ProxyPass / https://www.google.nl/
ProxyPassReverse / https://www.google.nl/
ErrorLog /var/log/apache2/google.local-error.log
CustomLog /var/log/apache2/google.local-access.log combined
</VirtualHost>
I have a host with a single web app and at the moment I am accessing it via www.hostnameA.com/ as the web app is deployed to tomcat/webapps as the tomcat ROOT web app.
Now I need to add another web app to my host and I also want this one to have no context either but will access it via another hostname www.hostnameB.com/ but I can only deploy one ROOT tomcat web app.
I should have added that I am using apache as well and my virtual host looks like:
<VirtualHost *:80>
ServerName www.hostnameA.com
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
I tried renaming the war file to webAppA and then appending that to the proxypass but it gave me a 400 error and kept appending /webAppA to the URL:
ProxyPass / http://localhost:8080/webAppA
Is there a solution to this? I dont really want to run multiple instances of tomcat on different ports just for this, is there another option?
As discussed above, most straightforward solution would be to use Apache's mod_proxy_ajp, allowing proxying and AJP forwarding at the same time. Configuration should look something like:
<VirtualHost *:80>
ServerName www.hostnameA.com
ProxyPass / ajp://localhost:8009/webAppA/
ProxyPassReverse / http://www.hostnameA.com/webAppA
[...]
...and same with B for www.hostnameB.com.
What I'm basically trying to accomplish is having my main website running a CMS written in Go. This will be located at www.example.com.
I also have applications written in PHP located in directories, such as www.example.com/clients/
How can I serve example.com/clients using Apache/PHP while serving example.com using Go built-in web server?
Via mod_proxy in Apache2, you can proxy different paths into different destinations at localhost or anywhere else accessible by your server, including within your local network (if your server can access it).
For this you would use ProxyPass (Apache2 Docs for ProxyPass, which is very useful reading) like the example below:
<VirtualHost *:80>
ServerName some.example.host.xyz
DocumentRoot /var/www/your-document-root
Alias /clients/ /var/www/clients/
ProxyPass /clients/ !
ScriptAlias /something-using-cgi/ /var/www/cgi-stuff/
ProxyPass /something-using-cgi/ !
ProxyPreserveHost On
ProxyPass / http://localhost:9876/
ProxyPassReverse / http://localhost:9876/
ProxyPass /elsewhere/ http://elsewhere.example.host.xyz:1234/
ProxyPassReverse /elsewhere/ http://elsewhere.example.host.xyz:1234/
</VirtualHost>
You'll want to be sure that you set your proxy security such that external users can't use your reverse proxy as a forward proxy, too. You can do that via ProxyRequests as described in the official Apache2 docs. The way I did this on a server is to put this in your server-wide config (you should verify on your own that this is secure enough):
# disables forward proxy
ProxyRequests Off
Andrew Gerrand has a good blog post about this for nginx but the principle is the same for Apache.
You want to set up Apache as a reverse proxy for requests coming in for the Go application.
For Apache you want to look at mod_proxy