I am trying to make our Subversion repository accessible via multiple URLs. To do so, I was thinking to use the LocationMatch directive. My configuration is:
<Location ~ "/(svn|repository)">
DAV svn
SVNPath /opt/svn
AuthzSVNAccessFile /etc/subversion/access
</Location>
The above configuration does NOT work. Strange thing is, that if I use for example this configuration, it works well for both URLs:
<Location ~ "/(svn|repository)">
SetHandler server-status
</Location>
For me, it looks like the combination of DAV svn and LocationMatch does not really work, or am I doing something wrong here?
I too am having problems with as I wanted to use regexs to avoid other subpaths getting caught by my match.
e.g.
<LocationMatch "^/test/.*$>
is not the same as
<Location "/test">
as in the latter, http://site.com/newproduct/test would get caught by the last one, but not the first one. So would http://site.com/test/scripts . This is why LocationMatch exists, but it fails whenever I put in regexs. It appears to work if I use LocationMatch w/o any regular expressions though.
The problem seems to be that when you use regular expressions in your Location or LocationMatch section, the Apache server is rewriting some metadata on the request with the content of the regular expression (possibly to let the handler that takes this request that it was targeted by a regular expression).
When the dav_svn handler gets the request, it consults this metadata to resolve the path it needs to take to get the resource being asked. Because the regular expression is not a real path, you get errors like this:
svn: PROPFIND of '%5E/(svn%7Crepository)/!svn/vcc/default': Could not parse response status line
I don't have any fix for that, except not using regular expressions with dav_svn: in my case I wanted to use an XSLT formatter to show a nice UI for the subversion repository when accessing it using a web browser, and the XSL resources were supposed to be accessed on a different path on the same host name that hosts the subversion repo, so I wanted to use a regular expression Location to have the path to the XSL resources not hit the dav_svn handler. This was a bust, so instead I just deployed websvn on a different host name and that was that.
Does the client get an error, and is there an error in the HTTP error logs?
SVN may get confused you map multiple locations to a single SVN Repo. See http://subversion.apache.org/faq.html#http-301-error . I'm troubleshooting this for another problem right now.
Does it work if you remove the regular expression? I'll assume yes, but I wanted to verify.
<Location "/svn">
fast solution that works: just add your reference to each vhost, you want to make the svn repro accessible.
Related
my English is rather poor and it is my first question, so hopefully I do it the right way ;-)
I use Apache HTTPD 2.4.41 (Win64) and I wanted to use following LocationMatch-Rule:
<LocationMatch "^/es/(?<ind>.*)/_search$">
AllowMethods GET POST
ProxyPassMatch http://localhost:9200/%{MATCH_IND}/_search
ProxyPassReverse http://localhost:9200
</LocationMatch>
The rule seems to match, as I receive a response from the backend server (ElasticSearch). The response body shows that something did not work with the named group backreference:
GET /es/archives/_search
{
"error": "no handler found for uri [/%25%7BMATCH_IND%7D/_search/es/archives/_search] and method [POST]"
}
It seems that the named group backreference has not been recognized and has been passed right through to the backend server without being interpreted.
At least, the original URL has been appended (as stated in the doc). As a workaround I could even leave it like this, but in my opinion, it is not the right way to achieve this.
Any Ideas of the reason why both the named group backreference and the variable seems not be recognized by Apache ? My Apache version (2.4.41) should also be fine as named group backreferences have been introduced in version 2.4.8.
I literally spent hours on Stack Overflow and Google searching for a similar situation, but nothing helped so far.
Hope, someone can help!
It seems that <LocationMatch> documentation is a big vague when it comes to using the matched expression with ProxyPass and ProxyPassMatch. The %{MATCH_*} expressions do not seem to work with them. However it seems that back-references (ie. $1) do work. So you probably want something like:
<LocationMatch "^/es/(?<ind>.*)/_search$">
AllowMethods GET POST
ProxyPassMatch http://localhost:9200/$1/_search
ProxyPassReverse http://localhost:9200
</LocationMatch>
Note that named groups need to be used in the regex, otherwise the back-reference won't be populated.
I'm trying to create dynamic apache config for lots of directories with OpenID auth, but I never got it to work, I think that there's something wrong with named regexp, but I don't know.
Here's my virtualhost config:
AliasMatch ^/backup/(.*)$ /user_server_backups/$1
<LocationMatch "^/backup/(?<sitename>[^/]+)">
Require claim "roles:%{env:MATCH_SITENAME}"
AuthType openid-connect
</LocationMatch>
Whenever I try to access I got 401
I tried also using numbered regexp but as described in docs numbered regexps are ignored.
You'll need to use at least version 2.4.2.1 of mod_auth_openidc, see: https://github.com/zmartzone/mod_auth_openidc/pull/469
I have an Apache 2.2 set up with LDAP Authorization, which is working fantastically as expected, and have also made it so that I can bypass Authentication when accessing it locally.
Allow from localIP hostnameA hostnameB, etc...
If I curl from the server, I don't get any Auth Required. So all good and working as expected.
What I need now is to make one particular URL to also bypass authorisation.
I have tried all the usual solution of using SetEnvIf;
SetEnvIf Request_URI "^/calendar/export" bypassauth=true`
Allow from env=bypassauth IP_ADDRESS HOSTNAME_A HOSTNAME_B
But this is just not working!!
Local access is still unrestricted, but remotely it is not (no change there)
If I dump out my server environment variables on that URL's script, I can see my bypassauth variable is being passed.
I just cannot for the life of me figure out why the Allow from env=bypassauth part is not working, while it still obeys the additional directive parameters.
I also tried another suggestion, using the Location directive;
<Location /calendar/export>
Satisfy Any
Allow from all
AuthType None
SetEnv WTF 123
</Location>
Again, I can see my new environmental variable (WTF) appear on this URL (when I dumped the server envs in the script), so I know that the SetEnv and SetEnvIf directives are working.
Is there anything I'm missing (any Apache2.2 quirks?), as all the solutions I've seen so far just are not working. It's as if my Allow from changes are having no effect after restarting Apache. I'm starting to feel my sanity slip.
Is there also a particular order when writing the directives for Satisfy Any, Order allow, deny and the Auth* directives, which might be effecting this?
Finally managed to figure it out!! :)
Seems my url was being processed by mod_rewrite (my environmental variable being prefixed by REWRITE_ should have rung alarm bells), which according to this post https://stackoverflow.com/a/23094842/4800587, the mod_rewrite is performed AFTER our SetEnvIf and Allow directives.
Anyway, long story short; I used the rewritten/final URL and the Location section to bypass authentication using the Allow any directive. So I changed...
<Location "/calendar/export">
Allow from all
</Location>
to..
<Location "/calendar/index.php/export">
Allow from all
</Location>
which is the final URL (after rewrite), and now works.
Apache 2.4 includes mod_proxy_html and that's great, it's catching all kinds of URLs inside the HTML coming back from the server and fixing them. But I've got a Seam app that sends back text/xml files to the client sometimes with fully qualified URLs that also need to be rewritten and mod_proxy_html doesn't fix them.
Apparently there was a mod_proxy_xml that used to exist separately from mod_proxy_html but Apache didn't include that. Is there a way to get mod_proxy_html configured to do the same thing? I need it to fix URLs in both the HTML and XML files coming back from a server.
Follow up:
I continue to fight with this and I've tried a few different solutions with no success including using mod_substitute (which somehow I'm configuring incorrectly because it never seems to substitute anything for anything) and using the force flag mod_proxy_html has to try and force it to do all files under a certain path.
This is an old question, but I just faced the same issue.
I tried with mod_proxy_html, compiled mod_proxy_xml, nothing worked.
#JonLin's suggestion is spot on, it works with mod_sed.
The only if is mod_sed is documented to work inside Directory nodes.
If you declare a Location though and do a SetOutputFilter instead of AddOutputFilter (which requires a mime type) it works beautifully.
The config that works is:
<Location "/">
SetOutputFilter Sed
OutputSed "s,http://internal:80,https://external.com,g"
</Location>
Our local development setup requires a box in the DMZ, and each developer has a line in its apache config for proxying. Looks something like:
ProxyPreserveHost on
ProxyPass /user1/ {user1's IP}
ProxyPassReverse /user1/ {user1's IP}
ProxyPass /user2/ {user2's IP}
ProxyPassReverse /user2/ {user2's IP}
#etc
Our public URLs become {DMZ server}/user1, {DMZ server}/user2, etc. The problem is that on the dev's boxes, the value of $_SERVER['HTTP_HOST'] is just {DMZ server}, without the user's subdirectory. The desired behavior is to have /user%/ as the real host name.
I've tried overriding the HOST var, and some rewrite rules, but nothing has worked.
Creating subdomains is not an option.
thank you for any help!
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxypreservehost seems to be the answer.
Im going to take a stab and suggest this:
SetEnvIf Host (.*) custom_host=$1
RequestHeader set X-Custom-Host-Header "%{custom_host}e/%{REQUEST_URI}e/%{QUERY_STRING}e"
That should hopefully set a request header called X-Custom-Host-Header that you can then pickup in PHP. If you want, you can try to override the Host Header, but I'm not sure on the implications of that. The Host header is a special HTTP header and generally only contains the host portion of an HTTP request, not the full request url.
Untested unfortunately, but it would help if you could clarify in a bit more detail what you are looking for.
EDIT, THIRD ANSWER:
Looks like Apache has heard this complaint before and the solution is mod_substitute. You need to use it to rewrite all the URLs returned in the document to insert /user1/.
EDIT, SECOND ANSWER:
Based on the additional information in your comments, I'd say your Apache config on your DMZ server is correct. What you are asking for is to have the developer machines generate URLs that include their context path (which is the J2EE term for something analogous to your /user1/ bit). I don't have any experience with PHP so I don't know if it has such a facility, but a quick search suggests it does not.
Otherwise, you'd have to roll your own function that converts a relative URL to an absolute URL, make that configurable so you can have it add something to the host name, and then force everyone to use that function exclusively for generating URLs. See, for some guidance, "Making your application location independent" in this old (outdated?) PHP best practices article for a solution to the related problem of finding local files.
PREVIOUS ANSWER: (doesn't work, causes redirect loop)
I'm still not clear what you are trying to do or what you mean by "Running on the dev apps are apache and PHP mainly, for hosting various applications", but as an educated guess, have you tried:
ProxyPass /user1/ {user1's IP}/user1/
ProxyPassReverse /user1/ {user1's IP}/user1/
If I were setting up the sort of environment you seem to be wanting to have, I'd want $_SERVER['HTTP_HOST'] to be {DMZ server} on every dev machine so that the dev machine's environment looks just like (or at least more like) production to the code running on it.