Is there a way to remove apaches Reverse Proxy Request Headers? - apache

When acting as a reverse proxy, apache adds x-forwarded headers as described here.
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers
In my configuration I have configured server A as a forward proxy. There is a rule like this:
RewriteRule proxy:(.*example.com)/(.*) $1.mysecondserver.com/$2 [P]
This rule lets the server request the resource from one of my other servers.
On the second server (origin) I have a virtual host container for the resource and another rewrite rule like this:
RewriteRule some-regex some-url [P]
It may not seem to make sense like this but there is a lot of other stuff going on that I left out as it is not part of the problem.
However that final request has these headers:
[X-Forwarded-For] => ip of 1st server
[X-Forwarded-Host] => example.myseconserver.com
[X-Forwarded-Server] => example.com
I want those headers gone.
I seem to be unable to unset them with mod_headers. I can add more entries to them, but I can not remove them.
Any ideas?

Since Apache 2, as this pretty answer says, the
ProxyAddHeaders Off
theoretically disables it. In my experiences, it had no effect. However, combined with
<Proxy *>
ProxyAddHeaders Off
</Proxy>
and, with
RequestHeader unset X-Forwarded-Host
RequestHeader unset X-Forwarded-For
RequestHeader unset X-Forwarded-Server
somewhere it started to work.

corrected answer: there is no way to do that since its hardcoded
to fix this in the source code of mod_proxy_http.c search for the following part:
apr_table_mergen(r->headers_in, "X-Forwarded-Server",
r->server->server_hostname);
}
and immediately after that add this code:
// remove any X-Forwarded headers
apr_table_unset(r->headers_in, "X-Forwarded-For");
apr_table_unset(r->headers_in, "X-Forwarded-Host");
apr_table_unset(r->headers_in, "X-Forwarded-Server");
then compile by running apxs2 -cia mod_proxy_http.c

I had the same problem on httpd 2.2 on CentOS 5. Installing httpd 2.4 wasn't possible. But because of some reasons I couldn't switch to nginx completly. So I did it by inserting nginx proxy between httpd and the destination address. So I had: httpd(localhost:80/path) -> nginx(localhost:81/path) -> http://your.destination/path. Installation steps are the following:
Install nginx according to these instructions
Configure nginx to avoid security problems.
Add an location in nginx that will remove those httpd's reverse proxy request headers. It can look like this:
location /path {
proxy_set_header x-forwarded-for "";
proxy_set_header x-forwarded-host "";
proxy_set_header x-forwarded-server "";
proxy_pass http://your.destination/path;
}

Related

Nginx -> Apache 2 authentication -> return to Nginix

We have a nginx and an apache2 server.
Apache2 is configured to manage Kerberos (Active Directory) authentication.
We have a website managed by nginx with a reserved area.
I would know if this is possible:
the user goes to main site managed by nginx
from main site, there is a link to "/login" mapped to apache2:
location /login/ {
proxy_pass http://apache2server/testlogin;
}
when the login is successful, apache2 is configured to go to another nginx webpage, using proxypass too:
ProxyPass /testlogin http://nginxserver/logindone.php
ProxyPassReverse /testlogin http://nginxserver/logindone.php
I wonder if this is the right solution to the problem.
The best way you can implement an external authentication to your NGiNX website is using auth_request directive.
Basically, you can protect any request doing a subrequest to any external web server. The subrequest must return HTTP code 2XX to allow proceeding to the content, and any other HTTP code returned will deny access.
To accomplish that, be sure you've NGiNX with auth_request enabled (compiled with --with-http_auth_request_module). To check that, use the following command at shell:
nginx -V 2>&1 | grep "http_auth_request_module"
Add the auth_request directive to the location you want to protect, specifying an internal location where the authorization subrequest will be forwarded to, using:
location /system/ {
auth_request /auth;
#...
}
So, when a request is made to /system/ location, the system will create a subrequest to /auth location. Now we need to create the internal /auth location. We can use the following example below:
location = /auth {
internal;
proxy_pass http://my.app.webserver/auth_endpoint;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
#...
}
Here, we created the /auth internal location. We used the internal directive to disable external NGiNX access (any external request to /auth will not be processed by this location). Also, we removed the request body content and set the request length to zero, removing any original request variable. We do a subrequest to http://my.app.webserver/auth_endpoint passing all requested cookies, so your backend application could determine if user has access or not.
If you need to know the original requested URI, you can add it on an extra HTTP header at subrequest adding:
proxy_set_header X-Original-URI $request_uri;
You can learn more about NGiNX auth_request directive here.

Unset HTTPS environment variable when X-Forwarded-Proto is http

I have endpoint termination setup on my Google Cloud Platform HTTP Load Balancer and HTTPS set as the protocol for communication with my backends.
This means that all requests, HTTP or HTTPS, is HTTPS to apache. The problem with this is that the HTTPS environment variable is set to on even when X-Forwarded-Proto is set to http.
All of my research and testing only points to the inverse case (setting HTTPS to on when X-Forwarded-Proto is https via a SetEnvIf X-Forwarded-Proto https HTTPS=on rule).
But, I need something to unset HTTPS when X-Forwarded-Proto is http.
I've tried setting SSLOptions -StdEnvVars as well as many combinations of SetEnvIf, SetEnv, and UnsetEnv. Setting it via mod_rewrite is not an option for me (I don't know if it would work anyway). An interesting note about turning off StdEnvVars is that even when it is off, all the SSL related variables are gone except HTTPS and I can confirm nothing else is setting it in any of my config files.
Edit:
Some examples of directives I've tried in my server config, vhost, and htaccess:
SetEnvIf X-Forwarded-Proto http HTTPS=Off
SetEnvIf X-Forwarded-Proto http HTTPS=0
SetEnvIf X-Forwarded-Proto http !HTTPS
SetEnv HTTPS Off
SetEnv HTTPS 0
SetEnv HTTPS
UnsetEnv HTTPS
Using these directives with other variables, including tests like foo works just fine.
Using these directives with other variables, including tests like foo works just fine.
Just an idea first (gladly retracted if someone has a better idea)
https://cloud.google.com/compute/docs/load-balancing/http/ says:
Target proxies
Target proxies terminate HTTP(S) connections from clients, and
are referenced by one or more global forwarding rules and route the
incoming requests to a URL map.
The proxies set HTTP request/response headers as follows:
Via: 1.1 google (requests and responses)
X-Forwarded-Proto: [http | https] (requests only)
X-Forwarded-For: <client IP(s)>, <global forwarding rule external IP> (requests only)
Can be a comma-separated list of IP addresses depending on the X-Forwarded-For entries appended by the intermediaries the client is
traveling through. The first element in the section
shows the origin address.
The question is where this is set. If in the apache config files, you could just alter the config. If it is set somewhere else, you need to find out where.
The TargetHttpsProxies resource did not list any ways to alter it either. So how about you post the config files that lead to above behavior?

Set correct REMOTE_ADDR in PHP-FPM called from Apache

We want to switch from mod_php to fastCGI + PHP-FPM on our Apache server.
We got everyhting in place and working except one thing:
Value in our $_SERVER['REMOTE_ADDR'] is always 127.0.0.1 not IP of client. Is there any way how to configure server to set this variable to client real IP?
We have client real IP in X-Forwarded-For header (passed from proxy)
Basically we need Apache alternative for nginx config:
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
( as described here Nginx replace REMOTE_ADDR with X-Forwarded-For)
Solved by adding directive to php.ini:
auto_prepend_file = /etc/php5/rpaf.php
which enable execution of this simple PHP script to normalize headers:
<?php
$trustedProxies = array(
'127.0.0.1'
);
$remote = $_SERVER['REMOTE_ADDR'];
$allowedHeaders = array(
'HTTP_X_FORWARDED_FOR' => 'REMOTE_ADDR',
'HTTP_X_REAL_IP' => 'REMOTE_HOST',
'HTTP_X_FORWARDED_PORT' => 'REMOTE_PORT',
'HTTP_X_FORWARDED_HTTPS' => 'HTTPS',
'HTTP_X_FORWARDED_SERVER_ADDR' => 'SERVER_ADDR',
'HTTP_X_FORWARDED_SERVER_NAME' => 'SERVER_NAME',
'HTTP_X_FORWARDED_SERVER_PORT' => 'SERVER_PORT',
);
if(in_array($remote, $trustedProxies)) {
foreach($allowedHeaders as $header => $serverVar) {
if(isSet($_SERVER[$header])) {
if(isSet($_SERVER[$serverVar])) {
$_SERVER["ORIGINAL_$serverVar"] = $_SERVER[$serverVar];
}
$_SERVER[$serverVar] = $_SERVER[$header];
}
}
}
If you want to see the real IP in logs, use %{REMOTE_ADDR} in access.format directive. In php-fpm.conf of your pool.
With apache 2.4 you can use apache's mod_remoteip module. It will set the expected client IP in apache logs as well as forward that information to php-fpm without any changes in php-fpm. Tested with the official httpd and php-fpm docker images.
Here is an example configuration part for your httpd.conf:
LoadModule remoteip_module modules/mod_remoteip.so
RemoteIPHeader X-Forwarded-For
RemoteIPProxiesHeader X-Forwarded-By
# 0.0.0.0/0 is not accepted
RemoteIPInternalProxy 172.0.0.0/8
The otherwise mentioned mod_rpaf is no longer available with apache 2.4.
Set it in the nginx config.
# Set the client remote address to the one sent in the X_FORWARDED_FOR header from trusted addresses.
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
Source: http://nginx.org/en/docs/http/ngx_http_realip_module.html
--
Update for Apache
For Apache, install module mod_rpaf, and configure it.
LoadModule rpaf_module modules/mod_rpaf.so
RPAF_Enable On
RPAF_ProxyIPs 127.0.0.1 10.0.0.0/24
RPAF_SetHostName On
RPAF_SetHTTPS On
RPAF_SetPort On
RPAF_ForbidIfNotProxy Off
Source: https://github.com/gnif/mod_rpaf
Since I just spend a few good hours on this, I'd like to point out that mod_rpaf does not seems to work correctly when using mod_proxy + mod_proxy_fcgi instead of mod_fcgi (at least on Debian Jessie)
While mod_rpaf will indeed fix the apache access-log when both mod_rpaf and the load-balancer are configured correctly, it will sadly not fix PHPs $_SERVER['REMOTE_ADDR'] variable.
Some people suggest manually overwriting REMOTE_ADDR using:
SetEnvIf X-Real-IP "^(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+).*" REMOTE_ADDR=$1
RequestHeader set REMOTE-ADDR %{REMOTE_ADDR}e env=REMOTE_ADDR
and while you can ADD custom entries to $_SERVER (with and without HTTP prefix) this way, it does not work for REMOTE_ADDR...
On the other hand using mod_remoteip passes the correct ip to $_SERVER['REMOTE_ADDR'], but it seems like the apache access-log is showing the load-balancers ip again...
[EDIT: Nevermind, replace %h with %a in the access-log format definition (apache2.conf) and it works]

Laravel routes behind reverse proxy

Ok, so for development purposes, we have a dedicated web server. It's not currently connected directly to the internet, so I've setup an apache reverse proxy on another server, which forwards to the development server.
This way, I can get web access to the server.
The problem is, the routes in Laravel are now being prefixed with the internal server IP address, or the servers computer name.
For example, I go to http://subdomain.test.com but all the routes, generated using the route() helper, are displaying the following url: http://10.47.32.22 and not http://subdomain.test.com.
The reverse proxy is setup as such:
<VirtualHost *:80>
ServerName igateway.somedomain.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://10.47.32.22:80/
ProxyPassReverse / http://10.47.32.22:80/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
I have set the actual domain name in config\app.php.
Question
How can I set the default URL to use in routing? I don't want it using the internal addresses, because that defeats the point of the reverse proxy.
I've tried enclosing all my routes in a Route::group(['domain' ... group, which doesn't work either.
I ran into the same (or similar problem), when a Laravel 5 application was not aware of being behind an SSL load-balancer.
I have the following design:
client talks to an SSL load balancer over HTTPS
SSL load balancer talks to a back-end server over HTTP
That, however, causes all the URLs in the HTML code to be generated with http:// schema.
The following is a quick'n'dirty workaround to make this work, including the schema (http vs. https):
Place the following code on top of app/Http/routes.php
In latest version of laravel, use web/routes.php
$proxy_url = getenv('PROXY_URL');
$proxy_schema = getenv('PROXY_SCHEMA');
if (!empty($proxy_url)) {
URL::forceRootUrl($proxy_url);
}
if (!empty($proxy_schema)) {
URL::forceSchema($proxy_schema);
}
then add the following line into .env file:
PROXY_URL = http://igateway.somedomain.com
If you also need to change schema in the generated HTML code from http:// to https://, just add the following line as well:
PROXY_SCHEMA = https
In latest version of laravel forceSchema method name has changed to forceScheme and the code above should look like this:
if (!empty($proxy_schema)) {
URL::forceScheme($proxy_schema);
}
Ok, so I got it. Hopefully this will help someone in the future.
It seems like Laravel ignores the url property in the config\app.php file for http requests (it does state it's only for artisan), and it instead uses either HTTP_HOST or SERVER_NAME provided by apache to generate the domain for URLs.
To override this default url, go to your routes.php file and use the following method:
URL::forceRootUrl('http://subdomain.newurl.com');
This will then force the URL generator to use the new url instead of the HTTP_HOST or SERVER_NAME value.
Go to app/Http/Middleware/TrustProxies.php and change the protected variable $proxies like this:
protected $proxies = ['127.0.0.1'];
Just this! Be happy!
Because laravel route is created not from the config/app itself rather than from the server. My solution is adding the proxy_set_header Host to the nginx's config.
server {
listen 80;
server_name my.domain.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host my.domain.com;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8000;
}
}
i'm using laravel 8 with nginx docker inside a running nginx on the machine, so yeah it's double nginx
add this code in App\Providers\AppServiceProvider class
if (Str::contains(Config::get('app.url'), 'https://')) {
URL::forceScheme('https');
}
Seems the Laravel have more convinient solution.. Check answer there: How do I configure SSL with Laravel 5 behind a load balancer (ssl_termination)?
Following up #TimeLord's solution:
In latest version of laravel the name for forced schema has changed and now it is:
URL::forceScheme()
I know this topic is old a.f but I've been solving this issue by replacing the following line in my DatabaseSessionHandler.pdf [#Illuminate/Session]:
protected function ipAddress()
{
return $_SERVER['HTTP_X_FORWARDED_FOR'];
// return $this->container->make('request')->ip();
}
Of course you need to migrate the sesssion table first and set up the config
(.env Variable SESSION_DRIVER=database)
For nginx, you don't need to do anything extra in Laravel. The fix can be done at from nginx config;
server {
listen 80;
listen [::]:80 ipv6only=on;
server_name sub.domain.dev;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host sub.domain.dev;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8000;
}
}
Figured out a way that much cleaner and only does exactly what the loadbalancer tells it to, add this function to your RouteServiceProvider
protected function enforceProtocol()
{
if(request()->server->has('HTTP_X_FORWARDED_PROTO')){
URL::forceScheme(request()->server()['HTTP_X_FORWARDED_PROTO']);
}
}
and in the boot section, simple call it like so
public function boot()
{
$this->enforceProtocol();
//other stuff
}

url rewrite using Nginx in front of an apache

I'm trying to figure out how to re-write urls using nginx in front of an apache.
I am new to a set up like that and after an extensive research I couldn't figure it out.
I am trying to enable seo friendly urls in a prestashop 1.6.0.6 installation without any luck. The truth is that this is really straightforward when using only an apache as a web server.
I would appreciate it if someone could help me on this.
Whether this will work depends on how your Apache server is configured to accept the URLs. If Apache is configured, as you mentioned with a .htacess file, to serve at the root of the host name, then rewriting may not be required. An example Nginx server block like this:
server {
server_name nginx.example.org;
location / {
proxy_set_header Host $host;
proxy_pass http://apache.example.org:80 break;
}
}
will pass the exact host and path being accessed from Nginx through to Apache without any changes. The server_name and proxy_pass directives will need to be changed for your local configuration, however. In this case, because of the use of the location / {}, all paths are accepted and proxied.
As long as the backend Apache is configured correctly and accessible from Nginx, this should work. The best test would be to ensure that you can access resources on Apache directly first, especially those with the SEO-friendly URLs, which would indicate the .htaccess file is in working and effect. Then configure Nginx in front as per the above.
As for potentially using only Nginx, you could port the rules from the .htaccess over into rewrite directives within Nginx configuration. In my experience, the rules are very similar in functionality and structure:
Apache: RewriteRule ^/(.*\.jpg)$ /images/$1 [L]
Nginx: rewrite ^/(.*\.jpg)$ /images/$1 last;
More information is at the Nginx wiki.