I have a Apache proxy which serve the ssl for the client. The Apache then proxy to a plain http tomcat server.
Listen 7777
<VirtualHost *:7777>
ServerName my.server.com
SSLEngine on
SSLCertificateFile /some.crt
SSLCertificateKeyFile /some.pem
SSLProxyEngine on
# Replace HTTP response headers (http to https)
Header edit Location ^http:(.*)$ https:$1
ProxyRequests off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://my.server.com:8888/
ProxyPassReverse / http://my.server.com:8888/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
Everything is working fine but when I access
https://my.server.com:7777/jmx-console
I get a
http status 403 Access to the specified resource () has been forbidden.
If I access the backend directly
http://my.server.com:8888/jmx-console
I get the basic authentication dialog
I want the Apache to show the backend basic authentication dialog from tomcat. What am I missing?
Perhaps you need to use 'proxy-chain-auth':
SetEnv proxy-chain-auth On
AuthType basic
AuthBasicAuthoritative Off
Related
I am trying to do some basic testing of Apache reverse proxy in GCP. I have an Apache2.4 service running on a Debian10 VM.
The Apache VM has a public Internet interface and a 10.x.x.x interface in my GCP VPC.
Via GCP app engine, I have (2) services running (simple Go web apps), and I have added the "VPC connector" configuration so that the services are available from the VMs/VPC.
Both app engine services can be curled successfully from the Apache machine:
curl https://service1-dot-myProject-cloudapp.uk.r.appspot.com
curl https://service2-dot-mProject-cloudapp.uk.r.appspot.com
I am trying connect to these services from the Internet with the Apache doing reverse proxy.
I have a basic configuration in sites-enabled:
<VirtualHost *:443>
ServerName my-test.my-domain.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# service1 reverse proxy
<Proxy balancer://service1>
Order deny,allow
Deny from all
Allow from all
BalancerMember https://service1-dot-myProject-cloudapp.uk.r.appspot.com/
ProxySet lbmethod=bytraffic
</Proxy>
ProxyPass "/service1/" "balancer://service1/"
ProxyPassReverse "/service1/" "balancer://service1/"
# service2 reverse proxy
<Proxy balancer://service2>
Order deny,allow
Deny from all
Allow from all
BalancerMember https://service2-dot-mProject-cloudapp.uk.r.appspot.com/
ProxySet lbmethod=bytraffic
</Proxy>
ProxyPass "/service2/" "balancer://service2/"
ProxyPassReverse "/service2/" "balancer://service2/"
</VirtualHost>
When I test with https://<externalIP>/ , I get my default Apache splash page, with the usual warning that I dont have a legitimate cert --that's fine for now, I just want to get the mechanics of reverse proxy/Balancers working.
When I try to go to https://<externalIP>/service1 or https://<externalIP>/service2, I am getting 404 errors.
For right now, I am not able to setup DNS for this external IP. Is that what is preventing me connecting all the way to my "backend" services via reverse proxy?
Could you please let me know how can we use reverse proxy to allow non aem server to post pages to a directory on the main domain on AEM site (Eg: www.yourdomainname.com/test-one)?
I have tried adding the below syntax in the vhost file in dispatcher module of Apache server for using reverse proxy. However, this didn't work and faced a 404 on dispatcher upon server restart. The reason might be dispatcher reverse proxies to the publish instance. How can we bypass this issue to setup reverse proxy?
<VirtualHost *:80>
ServerName www.yourdomainname.com
ProxyRequests off
RemoteIPHeader X-Forwarded-For
Header set xxx-Proxy-Version "1.0"
ProxyPreserveHost On
<Location /test-one >
ProxyPass "http://xxx/test-one"
ProxyPassReverse "http://xxx/test-one"
Order allow,deny
Allow from all
</Location>
<Location /test-one/(.*) >
ProxyPass "http://xxx/test-one/(.*)"
ProxyPassReverse "http://xxx/test-one/(.*)"
Order allow,deny
Allow from all
</Location>
</VirtualHost>
Thanks
I'm using 2 VMs configured with Apache2 as a Proxy for the Tomcat server, but I have a very strange behavior I have sometimes HTTP 403 error on my front end, I tried different configurations but I can see that depending on the requests coming from my Load Balancer (plugged with my 2 VMs Apache) it returns HTTP 403 randomly (and not for the same requests as well).
Here is the flow:
Front end -> Load Balancer (443)
-> Apache2 Reverse Proxy (443) -> Tomcat (8080)
-> Apache2 Reverse Proxy (443) -> Tomcat (8080)
I run this Apache2 Reverse Proxy on Ubuntu, here is the configuration for my Apache2 Proxies:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
Header add Access-Control-Allow-Origin "https://myfrontend.com"
SSLEngine on
SSLCertificateFile /etc/ssl/myfrontend.key
SSLCertificateKeyFile /etc/ssl/privatemyfrontend.key
SSLCertificateChainFile /etc/ssl/ca_bundle
SSLProxyEngine on
ProxyRequests off
SSLProxyVerify require
SSLProxyVerifyDepth 1
SSLProxyCACertificateFile "/etc/ssl/myfrontend.key"
SSLProxyCheckPeerName on
ProxyPreserveHost On
ProxyPass / http://localhost:8080/back/
ProxyPassReverse / http://localhost:8080/back/
</VirtualHost>
any idea why I'm getting such 403 errors?
I had a similar problem with two applications (Gitlab and SonarQube) deployed behind an Apache server configured as a reverse proxy. I solved it by uninstalling the mod_evasive module of Apache.
I have been trying to setup a reverse proxy using apache 2 mod_proxy and the proxypass & proxypassreverse directives.
I am installing WSO2 Identity Server and wish to access that app using a url such as the following .
hxxp://myserver.domain.com/wso2/
The myserver.domain.com is accessible on the internet
Internally on my network I have set up a virtualhost running in my apache2 configuration with the following parameters:
For various reasons, port 80 is unavailable and the virtualhost must stay as :8080.
Finally, here is my virtual host configuration
<VirtualHost *:8080>
<Location /wso2/>
ProxyPass hxxps://internal.wso2.node:9443/
ProxyPassReverse hxxs://internal.wso2.node:9443/
</Location>
ProxyVia On
ProxyPreserveHost Off
ProxyAddHeaders Off
ProxyRequests Off
SSLProxyEngine On
SSLProxyCheckPeerCN Off
</VirtualHost>
The issue:
I can use my web browser ( Firefox/Chrome) to request the http://myserver.domain.com/wso2/ resource. In my log files I see that the request does hit the apache server and the virtualhost catches the /wso2/ location.
It passes through the proxy and lands on the internal.wso2.node server. however, the product WSO2 IS preforms several redirects which, in the log files I see it requesting the resource with the port appended.
Here is the request flow
hxxp://myserver.domain.com/wso2/ -> hxxps://internal.wso2.node:9443/
REDIRECT x3
hxxps://internal.wso2.node:8080/carbon ->
hxxps://internal.wso2.node:8080/carbon/admin/login.jsp
Back to my web browser
hxxp://myserver.domain.com:8080/wso2/carbon/admin/login.jsp
For some reason the apache response back appends its virtual host to the url I am requesting.
If I remove the port:8080 and request again the full url it will access the resource fine. However any attempt to access using only http://myserver.domain.com/wso2/ will result in redirects and the port appended.
As per covener's suggestion the culprit in this case proved to be the following directives:
UseCanonicalName Off
UseCanonicalPhysicalPort Off
Additionally, the web app I am trying to access makes use of sessions and cookies, therefore we must also proxy those, see the added directives under the ProxyPass & ProxyPassReverse.
Therefore the updated virtualhost configuration file should now look like this
<VirtualHost *:8080>
ServerName: myServer.domain.com
UseCanonicalName Off
UseCanonicalPhysicalPort Off
<Location /wso2/>
ProxyPass hxxps://internal.wso2.node:9443/
ProxyPassReverse hxxs://internal.wso2.node:9443/
ProxyPassReverseCookiePath / /wso2/
ProxyPassReverseCookieDomain internal.wso2.node myserver.domain.com
</Location>
ProxyVia On
ProxyPreserveHost Off
ProxyAddHeaders Off
ProxyRequests Off
SSLProxyEngine On
SSLProxyCheckPeerCN Off
</VirtualHost>
I have a HTTP Basic secured website. I hide a Tomcat application server with mod_proxy. Can I remove the HTTP Basic header? The Tomcat application reads the header and returns 401 not authorized. Basic auth isn't needed because the application uses cookie sessions. So I think just removing the headers would be fine.
Make sure mod_headers is enabled. An example config:
<VirtualHost *:80>
ServerName something.example.com
ServerAdmin admin#example.com
ProxyRequests Off
ProxyPreserveHost Off
AllowEncodedSlashes On
KeepAlive Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
AuthType Basic
AuthName "Authorized Users Only"
AuthUserFile /etc/apache2/passwd
Require valid-user
</Location>
RequestHeader unset Authorization
ProxyPass / http://localhost:5984/ example
ProxyPassReverse / http://localhost:5984/
ErrorLog /var/log/apache2/something.example.com-error_log
CustomLog /var/log/apache2/something.example.com-access_log common
</VirtualHost>
I just had the same problem with Apache in front of another Java server trying to do basic auth, adding the following to my Apache config seemed to fix it:
RequestHeader unset Authorization