Apache SSL Proxypass gives unsecured content for zope - apache

Had hit a roadblock with the apache configuration trying to redirect or proxy to other webservers. Have google for quite a while but am stuck as mentioned in the scenario below. Apart from using apache for some out of the box web applications like Plone, cmdbuild, etc., I don’t have much experience with apache. Leaving security aside for the configuration for Apache, am I trying to achieve something the wrong way. Do give me your views and other possible ways to achieve what I am trying to do. Am planning to run all the sites under https.
Scenario:
Server 1 – 10.0.0.1 (CentOS 6.5)
Apache (version 2.2.5) running on port 80 (SSL enabled) – Main Web Server
Zope (Plone) running on port 8080
Sites:
http://10.0.0.1:8080/site1
http://10.0.0.1:8080/site2
Server 2 – 10.0.0.2 (CentOS 6.5)
Tomcat running on port 8080
Sites: http://10.0.0.3:8080/site3
Server 3 – 10.0.0.3 (Windows Server 2008)
IIS running on port 80
Sites: http://10.0.0.4/site4
If ProxyPass and Proxy PassReverse is used on the apache ssl.conf like below:
ProxyPass /site1 http://10.0.0.1:8080/site1
ProxyPassReverse /site1 http://10.0.0.1:8080/site1
ProxyPass /site2 http://10.0.0.1:8080/site2
ProxyPassReverse /site2 http://10.0.0.1:8080/site2
ProxyPass /site3 http://10.0.0.2:8080/site3
ProxyPassReverse /site3 http://10.0.0.2:8080/site3
ProxyPass /site4 http://10.0.0.1:8080/site4
ProxyPassReverse /site4 http://10.0.0.1:8080/site4
Site 3 and Site 4 are working properly fine with the ssl enabled but site 1 and site 2 (running under localhost zope) are working too but the contents are not showing properly because
“Connection Partially Encrypted
Parts of the page you are viewing were not encrypted …..”
If RewriteEngine is used instead of ProxyPass as shown below, both site1 and site2 runs perfectly under ssl.
RewriteEngine On
RewriteRule ^/(.*) http://10.0.0.1:8080/VirtualHostBase/https/%{SERVER_NAME}:443/site1/VirtualHostRoot/$1 [L,P]
But the other sites site3 and site4 are not reachable.
Apache httpd.conf just had a permanent redirect to https
<VirtualHost *:80>
Redirect permanent / https://10.0.0.1/
</VirtualHost>

If your rewrite rule is working for anything other than site1, it's because acquisition is making other sites appear inside site1. You don't want to depend on that.
Instead, have a separate rewrite rule for each site:
RewriteEngine On
RewriteRule ^/site1(.*) http://10.0.0.1:8080/VirtualHostBase/https/{SERVER_NAME}:443/site1/VirtualHostRoot/$1 [L,P]
RewriteRule ^/site2(.*) http://10.0.0.1:8080/VirtualHostBase/https/{SERVER_NAME}:443/site2/VirtualHostRoot/$1 [L,P]
RewriteRule ^/site3(.*) http://10.0.0.2:8080/VirtualHostBase/https/{SERVER_NAME}:443/site3/VirtualHostRoot/$1 [L,P]
RewriteRule ^/site4(.*) http://10.0.0.1:8080/VirtualHostBase/https/{SERVER_NAME}:443/site4/VirtualHostRoot/$1 [L,P]
Don't try to do this with one rewrite rule, or you'll expose your Zope root via proxy. A bad idea.

Related

How to configure Apache virtual hosts based on referer?

We have a tomcat web server running in port 8080 and Apache server running in port 80 in windows environment. Our objective is to configure, Apache server as proxy server to hide the tomcat web server address to the users.When i tried to use mod_rewrite based on HTTPREFERER rule it's working fine but user can able to see the redirected URL in the browsers network tab.
RewriteEngine on
RewriteMap deflector "txt:C:/gsasetup/gsaproxy01/Apache24/conf/deflector.map"
RewriteCond "%{HTTP_REFERER}" !=""
RewriteCond "${deflector:%{HTTP_REFERER}}" "=-"
RewriteRule "^" "%{HTTP_REFERER}" [R,L]
RequestHeader set Authorization "Basic dXNlcjpwYXNzd29yZA==" env=DOAUTH
RewriteCond "%{HTTP_REFERER}" !=""
RewriteCond "${deflector:%{HTTP_REFERER}|NOT-FOUND}" "!=NOT-FOUND"
RewriteRule "^" "${deflector:%{HTTP_REFERER}}" [R,L]
Similarly, when i tried using virtual hosts configuration it's internally redirecting the requests to tomcat web server running in port 8080.
ServerName localhost
ServerAlias *.localhost
ProxyRequests off
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
But here what i want is the combination of both. Means proxy should happen only for specific referrer. Otherwise i want to send user unauthorized response.
Is this kind of configuration possible?

Redirect DOCROOT to specific application - Apache fronting Tomcat

I have an Apache fronting a Tomcat application. I want to change the document root of the application to a specific Tomcat application. What I want to do is this:
If the website name is example.com, typing www.example.com or example.com or any such variant should lead you to example.com/ebb without any change in URL.
I have tried:
RewriteCond %{HTTP_HOST} ^example.com
RewriteRule ^(.*) http://www.example.com/eb/$1 [P]
This did not work. I keep getting redirected to the Apache test page.
Where am I going wrong? How do I get this right?
Tomcat runs on port 8080 by default and what you're trying to run is a website on port 8080 by providing only the url
"www.example.com" will go to port 80 and not port 8080 by default.
Specify what is the final solution you want to achieve.
Also I could see you've written you have an apache fronting a tomcat application. Well in that case, if this what I'm thinking it is. All you need to do now is to put up a new host in apache virtual host config file with proxypass and proxypassreverse paramteres.

apache2 rewrite rule without changing URL

This below rewrite redirects localhost to http://www.example.com/?id=211&test=1 but I want that localhost on browser should not be changed but the page will come form the above link.
I am using this rewrite rule on my Apache conf:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^localhost$ [OR]
RewriteRule ^/?$ http://www.example.com/?id=211&test=1 [L]
This below rewrite redirects localhost to
http://www.example.com/?id=211&test=1 but I want that localhost on
browser should not be changed but the page will come form the above
link.
If you want to load a page from elsewhere without chaining the URL, mod_rewrite is the wrong tool for the job. Use mod_proxy instead. First enable it in Apache like this; example assumes you are on Ubuntu 12.04 but should work on most any Linux Apache install
sudo a2enmod proxy proxy_http
Then set this to enable a reverse proxy from your root path of / to http://www.example.com/?id=211&test=1:
<IfModule mod_proxy.c>
# Proxy specific settings
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://www.example.com/?id=211&test=1
ProxyPassReverse / http://www.example.com/?id=211&test=1
</IfModule>
EDIT: Seems like mod_proxy and query strings for the destination do not mix; emphasis mine:
This directive allows remote servers to be mapped into the space of
the local server; the local server does not act as a proxy in the
conventional sense, but appears to be a mirror of the remote server.
The local server is often called a reverse proxy or gateway. The path
is the name of a local virtual path; url is a partial URL for the
remote server and cannot include a query string.
So if there is anyway you could set another page—maybe on localhost—that would bounce it behind the scenes. Meaning this happens on localhost:
ProxyPass / bounce.php
And then the file, bounce.php could have this line in it:
<?php
header('Location: http://www.example.com/?id=211&test=1');
?>
Which would allow mod_proxy to have a valid destination. And then the PHP file does the redirect? Hard to say, but the query string on your destination server is the issue.

mod_jk and mod_rewrite with prefix

We are trying to configure apache to forward requests to different servers hosting different Application servers.
We want to achieve the following.
www.mydomain.com/server1 --->forward to ---> 172.30.34.50:8082 (AP1 jboss)
www.mydomain.com/server2 --->forward to ---> 172.30.34.51:8082 (AP2 jboss)
Our current configuration:
mod_jk.conf:
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
httpd.conf
JkMount /cliente1* ajp13unsecure
RewriteEngine on
RewriteLog logs/apache-mod_rewrite.log
RewriteLogLevel 3
RewriteRule ^/cliente1(/)?([^/]*)/?$ /$2 [L,PT] (tried w/o PT with no success)
The problem is that when mod_jk forwards the request, it gets to the application servers like this: 172.30.34.50:8082/server1
Which is not a valid resource in the application server, it should go to root (172.30.34.50:8082)
We tried using mod_rewrite, but it triggers before mod_jk, so when apache try to match mod_jk rule, it doesn't satisfy the condition anymore. And the request is not forwarded.
How can we get mod_rewrite to trigger right before mod_jk does the forwarding so the application servers get the correct URI.
Or is there a way to configure mod_jk to forward request without the context?
How can we get mod_rewrite to trigger right before mod_jk does the
forwarding so the application servers get the correct URI.
Not too sure why I have noticed an uptick in people asking about mod_jk, but in my experience mod_proxy works better & is easier to understand for doing what you are attempting to do.
To enable mod_proxy in Apache do the following; assuming you are on Ubuntu/Debian:
sudo a2enmod proxy proxy_http
Then restart Apache like this; again assuming you are on Ubuntu/Debian:
sudo service apache2 restart
That done, this is a simple setup that should work within your Apache config. Winging it based on your settings:
# Settings for adding a trailing slash to the URL
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/(server1|server2)$
RewriteRule ^(.*)$ http://%{HTTP_HOST}$1/ [R=301,L]
# Settings for Apache Reverse Proxying
<IfModule mod_proxy.c>
# Proxy specific settings
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
</Proxy>
ProxyPass /server1 http://172.30.34.50:8082/
ProxyPassReverse /server1 http://172.30.34.50:8082/
ProxyPass /server2 http://172.30.34.51:8082/
ProxyPassReverse /server2 http://172.30.34.51:8082/
</IfModule>
The initial mod_rewrite settings add a trailing slash to URLs which I found I needed to do in cases where a path fragment—like /server1 and /server2—were going through a reverse proxy.
Also note I have /server1 and /server2 set but they might need to have a slash added to them like this /server1/ and this /server2/. Experiment to see what works best.

Can I configure Apache on my laptop to forward to real site for all requests except one?

I want to run some local tests on a site I have. The site is accessible at www.mysite.com. I want one particular file to be fetched from my local machine. I thought I could maybe achieve this by
installing Apache locally
adding 'localhost www.mysite.com' to my hosts file
configure Apache to forward all requests to www.mysite.com except for requests for the particular file www.mysite.com/myapp/myfile.css, which should be served from the Apache web server running locally.
Firstly I am not sure whether that set-up would work - in the case where a file is requested that is not my special case, the request would be forwarded to www.mysite.com/... , but would that then (because of the entry in my hosts file) go back to my local Apache server and into some infinite loop?
Secondly (and only relevant if the above is not true), how would I configure Apache to do that? I guess I need a ProxyPass but I'm having trouble figuring out exactly what.
Thanks for any help.
Paul
I don't think you'll be able to do this the way you're suggesting as you'll never be able to perform a lookup to proxy to www.mysite.com if you've defined it as localhost.
You could create another domain in your hosts file, say local.mysite.com and host the desired website files there and proxy everything else to www.mysite.com:
<VirtualHost *:80>
ServerName local.mysite.com
DocumentRoot ...
<Directory ...>
...
</Directory>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/myapp/myfile.css
RewriteRule ^(.*)$ http://www.mysite.com/$1 [P]
</VirtualHost>
Or if www.mysite.com works directly using the IP (i.e. not via virtual hosting) you could point localhost to mysite.com and use the real IP in the rewrite proxy.
<VirtualHost *:80>
ServerName www.mysite.com
DocumentRoot ...
<Directory ...>
...
</Directory>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/myapp/myfile.css
RewriteRule ^(.*)$ http://1.2.3.4/$1 [P]
</VirtualHost>