I run a local development web server for testing out code changes.
Often I have to test my local changes with remote services that can only connect securely to another domain.
e.g. https://external1.com will only talk to https://someOtherDomain.com, but I've got to test integration of my new code changes with https://external1.com
While I've got a setup configured that works, it seems complex, and took a bit to get setup right. It seems to me that many developers would want to do this same thing, so my question is this:
Is there an easy way to proxy my local webserver as https://someOtherDomain.com ?
EDIT: So maybe this should be asked this way - Does a command line or GUI tool exist that you can pass a local port and a domain name, and it serves your local port securely over https://someOtherDomain.com - no config or SSL cert creation required? Of course it'd be nice if the SSL cert could be replaced through configuration if need be, but by default, it'd work automatically, by using a precanned SSL cert. And even though I'm using Apache, I'm looking for a solution that actually doesnt use Apache - it uses something else. Why? Because I want this solution to work well with any other webserver that's being used by people on our team - as we all run different stacks, and I'd like to be able to let any of us securely serve our sites without having to configure each webserver individually.
Here's my current setup for taking my local webserver and serving it up at https://www.someOtherDomain.com
To test this locally, I've been:
editing my hosts file, and adding an entry to make www.someOtherDomain.com point to my local machine, which of course is running my dev server. This makes it so my local site is now available at http://www.someOtherDomain.com
127.0.0.1 www.someOtherDomain.com
Running Apache with a SSL Cert setup and mod_proxy to redirect all https requests to my local http server, thus making my site available at https://www.someOtherDomain.com. Here's my Apache config for this:
ServerName www.someOtherDomain.com
<Location /balancer-manager>
SetHandler balancer-manager
</Location>
ProxyPass /balancer-manager !
ProxyPass / balancer://mycluster/
<Proxy balancer://mycluster>
BalancerMember http://localhost route=1
</Proxy>
ProxyPass / balancer://mycluster
ProxyPassReverse / balancer://mycluster
SSLHonorCipherOrder On
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite RC4-SHA:HIGH:!ADH
# Rewrite all http requests to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
I run this on a mac, but am interested in solutions for linux as well. I've seen various Man in the Middle proxy's that sound like they'd work with some configuration... but I'm looking for something really simple to install and run - not just for me, but something I can tell team members about too, as we may all have to do this a lot in the future.
IMPORTANT NOTE: My local webserver isn't running on Port 80, though I've put it this way in the above example, to keep it simple. I understand port 80 on a mac is a bit special, but am very happy with solutions that work fine on all ports but port 80.
I think mitmproxy can do this for you, as least on linux and os-x. I haven't tried it myself but this question seems to show how it is done. It's still not a trivial program though.
There are however other approaches, which I have used:
The first one is the most pretty simple one, create a DNS entry for develop.mydomain.com which points to 127.0.0.1 and a single certificate for a (sub)domain where you control the DNS. Spread that certificate to all your developers. They'll still need to setup SSL themself but they don't need to generate certificates anymore. It has the added benefit that everybody is developing against https://develop.mydomain.com which allows them to share the configuration.
For bonus points, create a DNS entry for *.develop.mydomain.com and a wildcard certificate and your developers can have different sites (e.g. https://project1.develop.mydomain.com and https://project2.develop.mydomain.com) on there local machine. (Contrary to what the internet sometimes tells you, name based virtual hosting works fine with SSL as long as the certificate is valid for all the named hosts). Since the domain is the same for everybody you can consider getting a valid wildcard certificate to get rid of the warnings.
Unlike the solutions below this works even outside of the office network, which may be relevant when people are working from home or at the customer.
Building on this you could also create DNS entries for the internal IP's of the developer machines (if those are fixed). This does add some work, but it means the ongoing work of a developer can be reached by others in the local network, which can be very convenient for demo's, testing on mobile devices, etc.
An other option is to configure a single machine to proxy for all your developers. Create a DNS entry pointing to the internal IP of this box on something like *.develop.mydomain.com, a matching wildcard certificate and configure that box once with the correct certificate. Now you can create a virtual host for each proxied server, and again, all sites will be reachable throughout the local network, but it does require the developer to have fixed ip addresses (or hostnames added to DNS through DHCP).
Combined with the ability of apache to include all files in a directory in it's configuration makes it trivial to create a script which adds a new site based on a template. All it has to do is write a new file based on the requested subdomain plus the destination and reload the apache config. This means something like a simple PHP script can do what you want the application to do.
If you want to expose your web on your local machine to the internet try Runscope Passageway, it's easy to setup and "just works" (from experience).
Another alternative is ngrok which I also used, but it didn't always work for me.
Related
I'm starting from the bitnami jenkins stack. Everything is working perfectly with jenkins.
http://sample:8080/jenkins (works fine)
I'm trying to add additional directories to apache to proxy to nginx:
http://sample:8080/other_tool
I can get to the other_tool homepage, but references to that other tool break down because they are looking for http://sample:8080/relative_url rather than http://sample:8080/other_tool/relative_url
I can pull config settings from the necessary files as needed, but it is on an air-gapped network so wholesale posting would be a challenge
The apache conf looks like:
<Directory /other_tool>
ProxyPass http://localhost:9999
ProxyPassReverse http://localhost:9999
</Directory>
The nginx configuration is a standard "/" with root directory. I'm not as familiar with nginx so I can't recall the exact information off the top of my head. If needed I will provide it.
I could try to switch the jenkins hosting over to nginx, but I'm not sure that simplifies anything.
I can't open more ports on the machine. I can't use a subdomain as that would require additional DNS entries that I do not control.
Ideas or suggestions?
My main domain is subdomain.domain.tld, and I want to rewrite all the traffic from subdomain1.domain.tld to the first one. Meaning if someone accesses subdomain1.domain.tld/whatever.php, he actually accesses subdomain.domain.tld/whatever.php, however, he's still shown subdomain1 in the browser's navigation bar.
I did some research, but I couldn't find something too promising.
You don't need rewriting for this, in fact internal rewriting is not possible between separate hosts...
Assuming that both "subdomains" (those are actually hostnames) are served by the same http server you can simply configure the same DocumentRoot for both hosts. That way they serve exactly the same file system which obviously means that the same scripts will be called.
Maybe you can get away even more simple if you just use the ServerAlias command for your virtual host. This obviously is only possible if you do not need separate configurations for both hosts.
Just take a look into the documentation of the apache http server. This is explained and good examples are offered:
https://httpd.apache.org/docs/2.4/vhosts/examples.html
In case those two hosts are not served by the same http server you could use an internal proxy setup: subdomain1.domain.tld acts as a front end proxy for subdomain.domain.tld, so it just relays all incoming requests and also the outgoing responses. That is easily done with a combination of the ProxyPass and the ProxyPassReverse rules offered by apaches proxy module: https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassreverse
This setup can even be used if the two http servers operate on different IP addresses or even completely separate systems.
Okay let me explain my problem really fast. I have a JEE Programm running on my tomcat server. The server has some user defined in the tomcat-users.xml When i test my programm on my local machine everything works fine.
However if i deploy the .war on my server and i want to access a Rest Endpoint i get a 401 unauthorized error. If i remove the users security check i can work fine with the program. So the URLs and server setup is correct.
I think that the problem is somehow related to the forwarding of tomcat through my apache.
So lets assume i have an apache running on http://myIp.de
then i forwarded tomcat with following apache config:
ProxyRequests off
ProxyPass /tomcat http://localhost:8181/ nocanon
ProxyPassReverse /tomcat http://localhost:8181/
so now i can reach tomcat through: http://myIp.de/tomcat
also i can "speak" to my app via: tomcat/myApp
But somehow the Authentizication now fails. And i think the problem is
somehow related to wrong context path. Because tomcat/manager
also fails to login.
Make your life easier by deploying your app under /tomcat on tomcat too. This way there's no path-translation required. Keep in mind that you'll get all the session cookies tied to a specific path and this path is not necessarily translated once forwarded to the client.
Also, sooner or later you might need
ProxyPreserveHost On
(look it up) or utilize mod_jk to preserve this header (and more information) automatically.
Edit: Following your comment, Basic Auth headers seem not to be forwarded to tomcat as well. I haven't attempted this myself, but all the places that I've looked up seem to imply that there'd be some duplication (e.g. second credentials file for Apache) - that doesn't look good. In this case I'd suggest to try out mod_jk rather than mod_proxy. You'll use the JkMount directive, rather than ProxyPass and need a workers.properties, but mod_jk is a lot better in keeping the full context of the request when forwarding to tomcat. I've had good experience with it so far and have only heard little complaints about it - largely in situations that were pretty huge and complex/complicated anyway. At least you should try if it solves your problems.
I have a web app at domain1.com which needs to be able to make requests to many different sites, too many to add specific vhost information for each site, what I'd like to be able to do is make a request with the web app to its hosting apache server like this
/domain1.com/some/path
/domain2.com/some/path
and for it to be send to
https://domain1.com/some/path
https://domain2.com/some/path
I've tried different settings using apaches ProxyPass but with no success
How do I do this?
That should be able to work with these directives:
ProxyPass /domain1.com/ https://domain1.com/
ProxyPass /domain2.com/ https://domain2.com/
A request to https://yourproxy.com/domain1.com/some/path should then be forwarded on to https://domain1.com/some/path. It is also possible you may need to use some of the SSLProxy* directives from mod_ssl.
Edit Based on the comment, you might try this:
ProxyPass / http://
I just now tried that, and http://myproxy.com:port1/myserver.com:port2/some/path was sent on to (and returned from) http://myserver.com:port2/some/path.
However, this seems like a bad idea from a security standpoint. I suppose it does allow the proxy to sit on one side of a firewall and allow the backends to be behind the firewall. I am certainly no web expert, but it just feels a bit sketchy.
What should do to setup a sub-domain for the users when they sign-up into my site.
What are the infrastructure required? I am using Linux servers.
You can either use a specific DNS (CNAME or A/AAAA) entry for each known subdomain, or a wild-card DNS entry that'll accept *.example.com:
$ORIGIN example.com
foo IN A 12.34.6.78
bar IN A 12.34.6.78
or
$ORIGIN example.com
* IN A 12.34.6.78
The advantage of this latter is that no changes are required to either DNS or Apache configuration once the service is running. The disadvantage is that all such wildcard lookups must (by definition) end up returning the same IP address.
The Apache configuration will depend on your requirements, both for end-user control and security. Note that if the users have permission to run CGI scripts on the server then additional setup will be needed to ensure that that's done securely.
Depending on whether content is static or dynamic this will also affect your configuration:
Use mod_vhost_alias to map individual virtual hosts into their individual directories on the server.
If you really want, create a separate <VirtualHost> section for each known site, but then you'll have to restart Apache each time a new user signs up
Use a single <VirtualHost> and then look at the hostname part of the requested URL (from the $SERVER_NAME environment variable) in the scripts that render the output to figure out which user's content to display.
You can make a CNAME entry/ A Record in your DNS settings, for each subdomain
A CNAME record is a record in your
Domain Management Settings that allows
you to control a subdomain of your
domain.
To automate it along with registration, you can write a script which is executed for each user, when s/he registers.
You can refer to this link, as well, for a step-by-step process for Apache:
How to setup subdomains in apache
(since you mentioned Linux, I assume it must be APache. Please mention if it is otherwise)
Alternate Solution
You can also refer to the wildcard solution, given by Alnitak, in the same thread. I find his is an easier way. :)
infrastructure includes access the the dns server to add a wildcard entry, and rewrite rules in Apache.
Try these answers:
How to let PHP to create subdomain automatically for each user?
How to make subdomain user accounts in a webapp
or this link:
http://jam.jrox.com/docs/index.php?article=76
If your using Linux server's I'm assuming your using Apache as your webserver.
You'll have to setup proper DNS routing for the sub domain as well as a virtual host.
Virtual Hosts are fairly easy to setup but I'm not sure how easy it is to do them on the fly progmatically.
Most of the time it's as easy as editing your apache config file and adding the following:
Port 80
ServerName www.mydomain.com
NameVirtualHost *:80
<VirtualHost *:80>
DocumentRoot /www/user-bob
ServerName bob.mydomain.com
...
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /www/user-sally
ServerName sally.mydomain.com
...
</VirtualHost>
The VirtualHost Documention will probably of some use to you.
Apache allows you to specify any number of 'sites' based on subdomains on a single server. Creating a new 'site definition' file with the appropriate subdomain information in it, along with proper DNS wildcards, will do what you want.
In other words, the process is like this:
Setup wildcards so that *.mysite.com directs to the proper server.
When a new user signs up, create the proper Apache site definition file - you'll probably have a base template that you put the right subdomain information into and save.
Make Apache re-read its configuration.
Profit.
IMPORTANT This is based on a Debian-style Apache configuration, where the config files are included in a directory, and the main configuration reads all the config files in that directory. This will simplify things a great deal, because adding/removing subdomains will mean adding/removing files, rather than editing a single file, and so the process will be much easier to automate.