Re: [users@httpd] mod_proxy ProxyPassReverse incorrectly adjusting Location header in redirect?
On 12.04.2012, at 09:17, Igor Cicimov wrote: >> On Thu, Apr 12, 2012 at 4:32 PM, Rainer Frey wrote: >> >> > Where did you get the idea that you can mix protocols in the reverse proxy >> > commands from? >> > >> > This doesn't [make sense]: >> > ProxyPass / https://internal.example.com/ >> > ProxyPassReverse / http://internal.example.com/ >> >> That is wrong. > No it's not wrong Your above statement is definitely not correct. You *can* and sometimes *must* mix protocols between ProxyPass and ProxyPassReverse. The only thing a working ProxyPassReverse directive needs to match is the redirect URLs that a proxy backend returns. Apart from the fact that it only applies to responses from proxied backends, it has /nothing/ to do with the value in any ProxyPass directive. You don't even need a ProxyPass directive, it also applies to mod_rewrite [P] triggered proxy passing. This is a very common misunderstanding, and should not be left in the mailing list archive without explanation. >> It does not do what the OP expected, but it is definitely possible to do >> that, if the backend sends non-HTTPS redirects even though it was accessed >> via HTTPS. > I'm just pointing that it can't be done via mod_proxy as OP expects to, which > was his question exactly. That's right, but for completely different reasons. He can't change the redirect to non-SSL via ProxyPassReverse, because (and only because) the relevant ProxyPassReverse directive is within an SSL virtual host. Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_proxy ProxyPassReverse incorrectly adjusting Location header in redirect?
> > > On Thu, Apr 12, 2012 at 4:32 PM, Rainer Frey wrote: > > On 12.04.2012, at 07:57, Igor Cicimov wrote: > > > Where did you get the idea that you can mix protocols in the reverse > proxy commands from? > > > > This makes sense: > > ProxyPass / http://internal.example.com/ > > ProxyPassReverse / http://internal.example.com/ > > > > This doesn't: > > ProxyPass / https://internal.example.com/ > > ProxyPassReverse / http://internal.example.com/ > > That is wrong. It does not do what the OP expected, but it is definitely > possible to do that, if the backend sends non-HTTPS redirects even though > it was accessed via HTTPS. > > The protocol of the result of the ProxyPassReverse is determined by the > context of the virtual host in which these directives are placed though. > > Rainer > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > No it's not wrong I'm just pointing that it can't be done via mod_proxy as OP expects to, which was his question exactly.
Re: [users@httpd] mod_proxy ProxyPassReverse incorrectly adjusting Location header in redirect?
On 12.04.2012, at 07:57, Igor Cicimov wrote: > Where did you get the idea that you can mix protocols in the reverse proxy > commands from? > > This makes sense: > ProxyPass / http://internal.example.com/ > ProxyPassReverse / http://internal.example.com/ > > This doesn't: > ProxyPass / https://internal.example.com/ > ProxyPassReverse / http://internal.example.com/ That is wrong. It does not do what the OP expected, but it is definitely possible to do that, if the backend sends non-HTTPS redirects even though it was accessed via HTTPS. The protocol of the result of the ProxyPassReverse is determined by the context of the virtual host in which these directives are placed though. Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_proxy ProxyPassReverse incorrectly adjusting Location header in redirect?
Hi, I don't know the solution out of my head, but maybe pointing out what goes wrong helps you already. On 11.04.2012, at 18:11, Charlie Katz wrote: > Hi, as an interim solution in an internal reorganization of server resources, > I > want to use mod_proxy as a reverse proxy to move the entire functionality of > a > public-facing server (www.example.com) to an internal server > (internal.example.com). (configuration at end) > > https is used in this site only for logging in, after which a 302 redirect is > issued pointing to http://www.example.com/home.html, and the session > continues > through http. I am having trouble getting ProxyPassReverse to rewrite the > Location header in the redirect properly. > > Here's the sequence: > -client sends POST login credentials to https://www.example.com/login.html So you are in the SSL VirtualHost context, in which the reply is evaluated as well. > -request is proxied by https://www.example.com to > https://internal.example.com/login.html > -login succeeds, respond with 302 redirect to > http://internal.example.com/home.html > -reply goes to https://www.example.com Which is the SSL VHost. > - ProxyPassReverse rewrites the Location header > from http://internal.example.com/home.html to > https://www.example.com/home.html Yes. The directive is: > ProxyPassReverse / http://internal.example.com/ It matches http://internal.example.com/ to the Location header value of http://internal.example.com/home.html, and replaces it with the /local path/ of '/' within the context of the /current virtual host/, using either the canonical hostname of the VHost or the original request's hostname depending on UseCanonicalName directive. So the result of ProxyPassReverse will *always* be a URL within the current VHost, but you need to send a redirect to your other, non-SSL VHost. You'll need a different or additional way to adjust the redirection than ProxyPassReverse (alone). One way could be accepting that the client will receive the HTTPS redirect URL, and when it follows that, explicitly redirect https://www.example.com/home.html to http://www.example.com/home.html This of course means that the client sees one more redirect. Another idea is using mod_headers to process the Location header in the proxy response. But I'm not sure that will work, depending on how Apache will chain mod_proxy and mod_headers in that case. > -reply received by client, which acts on the redirect > > The starred *** step is what is going wrong, as the proxy is changing the > http to https despite the explicit "ProxyPassReverse / > http://internal.example.com"; line. > > I have tried many different tweaks to the configuration, but I always find > that > the header is rewritten back to https despite my explicitly specifying http > in > the response. This is the misunderstanding. The URL as second argument to the ProxyPassReverse directive is *not* used in the response in any way, it is only used to match a location header returned by a proxy backend to determine if and what to replace. The replacement is always the current host URL. > I feel like I must be misunderstanding something here. Can anyone help me > untangle it? > > Regards, > Charlie Katz HTH Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_proxy ProxyPassReverse incorrectly adjusting Location header in redirect?
Where did you get the idea that you can mix protocols in the reverse proxy commands from? This makes sense: ProxyPass / http://internal.example.com/ ProxyPassReverse / http://internal.example.com/ This doesn't: ProxyPass / https://internal.example.com/ ProxyPassReverse / http://internal.example.com/ On Thu, Apr 12, 2012 at 2:11 AM, Charlie Katz wrote: > Hi, as an interim solution in an internal reorganization of server > resources, I > want to use mod_proxy as a reverse proxy to move the entire functionality > of a > public-facing server (www.example.com) to an internal server > (internal.example.com). (configuration at end) > > https is used in this site only for logging in, after which a 302 redirect > is > issued pointing to http://www.example.com/home.html, and the session > continues > through http. I am having trouble getting ProxyPassReverse to rewrite the > Location header in the redirect properly. > > Here's the sequence: > -client sends POST login credentials to https://www.example.com/login.html > -request is proxied by https://www.example.com to > https://internal.example.com/login.html > -login succeeds, respond with 302 redirect to > http://internal.example.com/home.html > -reply goes to https://www.example.com > - ProxyPassReverse rewrites the Location header > from http://internal.example.com/home.html to > https://www.example.com/home.html > -reply received by client, which acts on the redirect > > The starred *** step is what is going wrong, as the proxy is changing > the > http to https despite the explicit "ProxyPassReverse / > http://internal.example.com"; line. > > I have tried many different tweaks to the configuration, but I always find > that > the header is rewritten back to https despite my explicitly specifying > http in > the response. > > I feel like I must be misunderstanding something here. Can anyone help me > untangle it? > > Regards, > Charlie Katz > > > > configuration on www.example.com > > ProxyRequests off > ProxyPass / http://internal.example.com/ > ProxyPassReverse / http://internal.example.com/ > ProxyPassReverse / https://internal.example.com/ > ProxyPassReverseCookieDomain internal.example.com www.example.com > > > > SSLProxyEngine on > > ProxyRequests off > ProxyPass / https://internal.example.com/ > ProxyPassReverse / http://internal.example.com/ > # ProxyPassReverse / https://internal.example.com/ # same behavior with > or > without this line > ProxyPassReverseCookieDomain internal.example.com www.example.com > > > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
[users@httpd] mod_proxy ProxyPassReverse incorrectly adjusting Location header in redirect?
Hi, as an interim solution in an internal reorganization of server resources, I want to use mod_proxy as a reverse proxy to move the entire functionality of a public-facing server (www.example.com) to an internal server (internal.example.com). (configuration at end) https is used in this site only for logging in, after which a 302 redirect is issued pointing to http://www.example.com/home.html, and the session continues through http. I am having trouble getting ProxyPassReverse to rewrite the Location header in the redirect properly. Here's the sequence: -client sends POST login credentials to https://www.example.com/login.html -request is proxied by https://www.example.com to https://internal.example.com/login.html -login succeeds, respond with 302 redirect to http://internal.example.com/home.html -reply goes to https://www.example.com - ProxyPassReverse rewrites the Location header from http://internal.example.com/home.html to https://www.example.com/home.html -reply received by client, which acts on the redirect The starred *** step is what is going wrong, as the proxy is changing the http to https despite the explicit "ProxyPassReverse / http://internal.example.com"; line. I have tried many different tweaks to the configuration, but I always find that the header is rewritten back to https despite my explicitly specifying http in the response. I feel like I must be misunderstanding something here. Can anyone help me untangle it? Regards, Charlie Katz configuration on www.example.com ProxyRequests off ProxyPass / http://internal.example.com/ ProxyPassReverse / http://internal.example.com/ ProxyPassReverse / https://internal.example.com/ ProxyPassReverseCookieDomain internal.example.com www.example.com SSLProxyEngine on ProxyRequests off ProxyPass / https://internal.example.com/ ProxyPassReverse / http://internal.example.com/ # ProxyPassReverse / https://internal.example.com/ # same behavior with or without this line ProxyPassReverseCookieDomain internal.example.com www.example.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org