Apache reverse proxy to https server - apache

I'm trying to setup reverse proxy to some web service, so I can develop JavaScript Ajax application on localhost. I have managed to do it with Apache following way:
ProxyPass /serviceproxy/ http://someservice.com/
ProxyPassReverse /serviceproxy/ http://someservice.com/
ProxyHTMLURLMap http://someservice.com/ /serviceproxy/
<Location /serviceproxy>
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLURLMap / /serviceproxy/
ProxyHTMLURLMap http://someservice.com/
RequestHeader unset Accept-Encoding
</Location>
That works fine for http webpages, but not for https pages. If I set proxy to https://someservice.com/, Apache returns 500 Internal server error. I'm new to Apache configuration. How to make it work? Is it even possible?
thanks

You have to enable Ssl module (a2enmod ssl) Then in /etc/apache2/sites-available/default file include following lines
RequestHeader set X-Forwarded-Proto "https"
ServerName localhost
SSLProxyEngine On
RequestHeader set Front-End-Https "On"
Between line
ServerAdmin webmaster#localhost
and line
DocumentRoot /var/www
Hope it helps.

Related

Reverse proxy in Apache + CentOS for HTTPS requests to PostgREST webserver

I would like to make https requests to my postgREST webserver, which by design doesn't support https. I spend several days now I don't know any further...
My setup
My server is running on CentOS 7.9.2009
I have a website domain that uses Wordpress to serve my content in home/myuser/public_html
I setup PostgREST 7.0.1 on my server which runs on port 3000
I am running Apache/2.4.51 (cPanel)
My Problem
The following request works just fine: http://my-domain.com:3000/my_db_table
I would like to run the same request like: https://my-domain.com/api/my_db_table
My Apache configuration is in an "includes" file, seems to be loaded (as errors occur when I put wrong syntax intentionally in this file) and it looks like this:
<VirtualHost *:443>
DocumentRoot /
ServerName my-domain.com
ServerAlias my-domain
ErrorLog /home/myuser/public_html/api/error.log
CustomLog /home/myuser/public_html/api/access.log combined
SSLEngine on
SSLUseStapling off
SSLCertificateFile /etc/ssl/certs/server.my-domain.com.crt
SSLCertificateKeyFile /etc/ssl/private/server.my-domain.com.key
<Location /api/ >
ProxyPreserveHost On
ProxyPass http://localhost:3000/
ProxyPassReverse http://localhost:3000/
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"
</Location>
</VirtualHost>
running httpd -t returns Syntax OK
after my changes I run sudo systemctl restart httpd
when I then try to do a request like curl -i https://my-domain.com/api/my_db_table I am redirected to the 404 page of my Wordpress website
the error.log file of my apache config does not include any errors (it included errors for stapling which I resolved by adding the line SSLUseStapling off in my config)
I don't know what to do anymore. And because I don't have any error logs I even don't know how to start debugging it. I would be happy for any hint somebody could provide me.
I have successfully use https with postgrest and the following settings in the virtuahost section but I didn't use the tag.
ProxyHTMLEnable On
ProxyPreserveHost On
SSLEngine on
SSLProxyEngine On
RewriteEngine on
#Proxy for postgrest api
ProxyPassMatch "/api/(.*)" "http://localhost:3000/$1"
ProxyPassReverse "/api/" "http://localhost:3000/"

Apache24 how to proxy and return 404 for undefined endpoints

I have two virtual hosts running on a single Tomcat server. Lets call them a.com and b.com. Tomcat is configured to support only http on port 8080. (This is simplified, in real life there are multiple Tomcat instances each running a set of virtual hosts.)
I am fronting the host with Apache24 for the purpose of proxying incoming https requests to backend http. This emulates a production environment in which https certificates are handled by a corporate firewall, and requests are forwarded to the backend via http with some additional header fields inserted.
So, I have this proxying for restricted (external) users with two-way authentication:
https://a.com:443 -> http://a.com:8080
I also have this proxying for trusted (internal) users:
http://a.com:80 -> http://a.com:8080
http://b.com:80 -> http://b.com:8080
The problem is that due to some Apache24 default handling, a request to https://b.com/foo gets routed to http://a.com:8080/foo. I want to the https to b.com to return a 404! I know I need some default mappings to kill the b.com request but so far nothing has worked.
The Apache24 details:
File httpd-vhosts.conf:
<VirtualHost a.com:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName a.com
DocumentRoot "c:/tmp"
ProxyPass / http://a.com:8080/
ProxyPassReverse / http://a.com:8080/
Header set Access-Control-Allow-Origin "*"
</VirtualHost>
<VirtualHost b.com:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName b.com
DocumentRoot "c:/tmp"
ProxyPass / http://b.com:8080/
ProxyPassReverse / http://b.com:8080/
Header set Access-Control-Allow-Origin "*"
</VirtualHost>
File httpd-ssl/conf:
<VirtualHost a.com:443>
ProxyPreserveHost On
ProxyRequests Off
SSLEngine On
ServerName a.com
SSLVerifyClient require
SSLVerifyDepth 2
SSLStrictSNIVHostCheck on
#RewriteEngine On
RequestHeader set X-Forwarded-Proto https
RequestHeader setifempty CUSTOMFIELD "expr=CN=%{SSL_CLIENT_S_DN_CN}"
ProxyPass / http://a.com:8080/
ProxyPassReverse / http://a.com:8080/
SSLCertificateFile "c:/certs/a.com.crt"
SSLCertificateKeyFile "c:/certs/a.com.key"
SSLCACertificateFile "c:/certs/ca.crt"
</VirtualHost>
I see in the Apache24 logs lines that start like this when I request https://b.com/foo:
mod_proxy.c(880): [client 127.0.0.1:57956] AH03461: attempting to match URI path '/foo' against prefix '/' for proxying
mod_proxy.c(997): [client 127.0.0.1:57956] AH03464: URI path '/foo' matches proxy handler 'proxy:http://a.com:8080/foo'

Reverse proxy an http:// domain to a GitHub Pages URL

I have a URL, http://example.com, that I would like to use to serve content from my GitHub Pages site at https://myusername.github.io/mysite/ via a reverse proxy in Apache. This is both as a temporary workaround until I update example.com's DNS setting to point to GitHub Pages, as well as to teach myself how reverse proxies work.
I have my Apache config like so:
<VirtualHost *:80>
ServerName example.com
SSLEngine On
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
ProxyPass "/" "https://myusername.github.io/mysite/"
</VirtualHost>
When I try to go to "example.com", I get "The proxy server could not handle the request GET /.
Reason: Error during SSL Handshake with remote server."
Is what I'm trying to do possible, and if so, what should I be changing?
I'm using Apache 2.2.
You should probably remove the line:
SSLEngine On
It enables HTTPS on your port 80... but you don't provide an SSL certificate (...and HTTPS uses port 443).
You should also add the line:
ProxyPassReverse "/" "https://myusername.github.io/mysite/"
The following config works perfectly on reverse proxy github pages
<VirtualHost *:80>
ServerName custom-domain
ServerAdmin encycode#gmail.com
ProxyRequests Off
ProxyPreserveHost On
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
RequestHeader set Host "myusername.github.io"
RequestHeader set X-Forwarded-Proto https
RequestHeader set Origin "myusername.github.io"
ProxyPass / https://myusername.github.io/mysite/
ProxyPassReverse / https://myusername.github.io/mysite/
</VirtualHost>
Make sure you replace myusername with your github username, mysite with your github repo name and custom-domain with your custom url
You don't have to implement a reverse proxy yourself, since Github allows you to specify a custom domain
https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-
pages-site

Apache reverse proxy by HTTP/2 will lost MIME-type and use default

English is not my native language, please excuse typing errors.
I configure Apache reverse proxy as follow, and it works fire.
ProxyRequests Off
SSLEngine On
SSLProxyEngine On
ProxyPass / https://example.com/
ProxyPassReverse / https://example.com/
And my website (PHP) support HTTP/2, so I want to proxy it by HTTP/2.
I enable mod_proxy, mod_proxy_http, mod_ssl, mod_http2, mod_proxy_http2 and others some modules. And set .php MIME-type as application/x-httpd-php.
AddType application/x-httpd-php .php
VirtualHost is follow:
<VirtualHost *:443>
DocumentRoot "/path/to/wwwroot/"
ServerName localhost:443
ProxyRequests Off
SSLEngine On
SSLProxyEngine On
ProxyPass / h2://example.com/
ProxyPassReverse / https://example.com/
# Cert
SSLCertificateFile ...
SSLCertificateKeyFile ...
</VirtualHost>
The different is ProxyPass / https://example.com/ to ProxyPass / h2://example.com/.
Response header Content-Type in Browser always get default MIME-type.
You can find example at phpMyAdmin Demo, filter whitelist.php in DevTools, this file Content-Type is text/javascript.
Proxy it by HTTP/2, the Content-Type
become application/x-httpd-php, it lost source MIME-type text/javascript.
And proxy it by HTTP/1.1, it works well.
How can I reslove this problem?
Thank you.
It’s an old question but I ran with same problem and decide to investigate.
I found a bug in http2 proxy.
It will be fixed in next HTTPD release (2.4.55)
Virtual Host file configuration:
<VirtualHost *:443>
ServerAdmin admin#test.com
ServerName example.com
ServerAlias www.example.com
ssl_certificate .....
ssl_certificate_key ..........
ProxyRequests Off Order deny, allow Allow from all
<Location />
ProxyPass http://example.com:8000/
ProxyPassReverse http://example.com:8000/
</Location>
</VirtualHost>
Next we need to enable a few Apache modules. To do this, issue the following commands:
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_balancer
sudo a2enmod lbmethod_byrequests
Apache will now need to be restarted with the command:
sudo service apache2 restart

Apache virtual host + reverse proxy conflict

I have a server running ubuntu+apache. I have a website running (old ipython notebook with a multiuser-hack) that can be accessed through xxx.xx.xx.xx (=:myip). The corresponding apache configuration called sins.conf looks like this:
<VirtualHost *:80>
ServerName ipython.local-server
ServerAlias
WSGIDaemonProcess ipythonapp2 user=www-data group=www-data processes=2 threads=5\
python-path=/home/sins/ilmrt/lib/python2.7/site-packages
WSGIScriptAlias / /home/sins/ilmrt/ipysite/wsgi.py
<Directory /home/sins/ilmrt/ipysite>
#WSGIProcessGroup ipythonapp2
WSGIApplicationGroup %{GLOBAL}
Require all granted
Allow from all
</Directory>
Alias /static/ /home/sins/ilmrt/ipysite/static/
<Location "/static/">
Options -Indexes
</Location>
</VirtualHost>
and works perfectly.
Now, since I'm about to run a new website (jupyterhub) with reverse proxy in addition, I setup a new apache configuration called jupyterhub.conf:
ProxyPass / http://localhost:9111/
ProxyPassReverse / http://localhost:9111/
Header edit Origin http://myip:9111/ localhost:9111
RequestHeader edit Origin http://myip:9111 localhost:9111
Header edit Referer http://myip:9111 localhost:9111
RequestHeader edit Referer http://myip:9111 localhost:9111
<Location ~ "/(user/[^/]*)/(api/kernels/[^/]+/channels|terminals/websocket)/?">
ProxyPass ws://localhost:9111
ProxyPassReverse ws://localhost:9111
</Location>
If i run sudo a2ensite jupyterhub and sudo service apache2 reload, the new website works as expected under http://myip:9111. However, the old website with the address http://myip shows Service Unavailable.
I don't understand what I need to change to make both sites working at the same time. Any help?
EDIT:
I believe I need to put the jupyterhub configuration inside a <VirtualHost *:9111>, but if I start the jupyterhub server it says
Proxy appears to be running at http://myip:9111, but I can't access it. Connection refused.
Okay, so the trick was as I assumed: It needs to be put in a VirtualHost.
For some reason I initially put a Listen 9111 in front of the config-code below, which is why it blocked something..Here's the code in case anyone is interested:
<VirtualHost *:9111>
ProxyPass / http://localhost:9111/
ProxyPassReverse / http://localhost:9111/
Header edit Origin http://myip:9111/ localhost:9111
RequestHeader edit Origin http://myip:9111 localhost:9111
Header edit Referer http://myip:9111 localhost:9111
RequestHeader edit Referer http://myip:9111 localhost:9111
<Location ~ "/(user/[^/]*)/(api/kernels/[^/]+/channels|terminals/websocket)/?">
ProxyPass ws://localhost:9111
ProxyPassReverse ws://localhost:9111
</Location>
LogLevel debug
</VirtualHost>