On Tue, Oct 7, 2025 at 5:33 PM Bret Stern <[email protected]> wrote:
> Eliyahu, > Your reply here: > "As I suspected you are forwarding to the internal IP address, thus the > internal server sees a request for http://IP/ and has no way to select a > virtual host. > You can either do what I suggested in my original reply to maintain the > hostname or what you can also do is add/strip headers on the reverse proxy." > > I can't put the domain name in the proxypass ?Won't DNS for the site just > route it back to the same WAN server that's trying to forwad it to the > backend server. > > Still reading > > > On 10/7/2025 12:30 PM, E.S. Rosenberg wrote: > > > > Op di 7 okt 2025 om 22:24 schreef Bret Stern < > [email protected]>: > >> Eliyahu, >> Appreciate you taking a shot. Here they are: >> >> <VirtualHost *:80> >> SSLProxyEngine on >> ServerName postfixadmin.domain.com >> ProxyPreserveHost On >> >> ProxyPass / http://192.168.60.157/ >> ProxyPassReverse / http://192.168.60.157/ >> >> </VirtualHost> >> >> <VirtualHost *:80> >> ServerName mail.domain.com >> ProxyPreserveHost On >> >> ProxyPass / http://192.168.60.157/ >> ProxyPassReverse / http://192.168.60.157/ >> >> </VirtualHost> >> >> >> By the way the WAN side server hosts 3 websites. But the mail.domain.com >> and the postfixadmin.domain.com are proxied >> to another server on the lan. >> >> I kind of feel like this setup is a bit corrupted, there's so much info >> out there, and who knows what the right way. >> >> My hunch is taking me to a possible ssl encryption setup, so I'm asking >> on letsEncrypt as well. >> >> If there's anything logs wise you need, I can provide. >> >> Appreciate your thoughts, >> Bret >> >> >> >> >> >> >> >> >> On 10/7/2025 12:07 PM, E.S. Rosenberg wrote: >> >> >> >> Op di 7 okt 2025 om 18:34 schreef Bret Stern < >> [email protected]>: >> >>> Ok. So my understanding of ReWrite rules is to modify the url in some >>> fashion...per the Apache docs. >>> I don't see any reason to do that..so I commented out all the "ReWrite >>> directives". Good to get the junk out of >>> the puzzle. >>> >>> After commenting out the ReWrites, I restarted httpd. >>> postfixadmin.domain.com is still landing in the >>> mail.domain.com DocumentRoot. >>> >>> Is there some sort of "debug" directive which would help me figure out >>> when the DocumentRoot >>> is getting set to what and when. >>> >>> Ideas? >>> >>> >>> >>> >>> First virt host config for postfixadmin >>> <VirtualHost *:80> >>> SSLProxyEngine on >>> ServerName postfixadmin.domain.com >>> ProxyPreserveHost On >>> ServerAlias www.postfixadmin.domain.com >>> DocumentRoot /var/www/postfixadmin/public >>> >>> <Directory /var/www/postfixadmin/public> >>> Options -Indexes +FollowSymLinks >>> AllowOverride All >>> </Directory> >>> >>> ErrorLog /var/log/httpd/postfixadmin-error.log >>> CustomLog /var/log/httpd/postfixadmin-access.log combined >>> #RewriteEngine on >>> #RewriteCond %{SERVER_NAME} =www.postfixadmin.domain.com [OR] >>> #RewriteCond %{SERVER_NAME} =postfixadmin.domain.com >>> #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] >>> </VirtualHost> >>> >>> second virt host config for mail >>> <VirtualHost *:80> >>> SSLProxyEngine on >>> ServerName mail.domain.com >>> ProxyPreserveHost On >>> ServerAlias www.mail.domain.com >>> DocumentRoot /var/www/html >>> >>> <Directory /var/www/html> >>> Options -Indexes +FollowSymLinks >>> AllowOverride All >>> </Directory> >>> >>> ErrorLog /var/log/httpd/mail-domain-error.log >>> CustomLog /var/log/httpd/mail-domain-access.log combined >>> #RewriteEngine on >>> #RewriteCond %{SERVER_NAME} =www.mail.domain.com [OR] >>> #RewriteCond %{SERVER_NAME} =mail.domain.com >>> #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] >>> </VirtualHost> >>> >>> >>> >>> >>> >>> >>> On 10/7/2025 7:29 AM, Frank Gingras wrote: >>> >>> >>> >>> On Mon, Oct 6, 2025 at 5:12 PM Bret Stern < >>> [email protected]> wrote: >>> >>>> Frank, >>>> >>>> I added the original mail.domain.com virt host conf file back and now >>>> my postfixadmin stuff has reverted to >>>> the wrong DocumentRoot and isn't working. >>>> >>>> Here are the VirtHost files. The names of the files does not matter >>>> correct..they can be www.domain.com.conf or >>>> somename.conf, right? >>>> >>>> First virt host config for postfixadmin >>>> <VirtualHost *:80> >>>> SSLProxyEngine on >>>> ServerName postfixadmin.domain.com >>>> ProxyPreserveHost On >>>> ServerAlias www.postfixadmin.domain.com >>>> DocumentRoot /var/www/postfixadmin/public >>>> >>>> <Directory /var/www/postfixadmin/public> >>>> Options -Indexes +FollowSymLinks >>>> AllowOverride All >>>> </Directory> >>>> >>>> ErrorLog /var/log/httpd/postfixadmin-error.log >>>> CustomLog /var/log/httpd/postfixadmin-access.log combined >>>> RewriteEngine on >>>> RewriteCond %{SERVER_NAME} =www.postfixadmin.domain.com [OR] >>>> RewriteCond %{SERVER_NAME} =postfixadmin.domain.com >>>> RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] >>>> </VirtualHost> >>>> >>>> second virt host config for mail >>>> <VirtualHost *:80> >>>> SSLProxyEngine on >>>> ServerName mail.domain.com >>>> ProxyPreserveHost On >>>> ServerAlias www.mail.domain.com >>>> DocumentRoot /var/www/html >>>> >>>> <Directory /var/www/html> >>>> Options -Indexes +FollowSymLinks >>>> AllowOverride All >>>> </Directory> >>>> >>>> ErrorLog /var/log/httpd/mail-domain-error.log >>>> CustomLog /var/log/httpd/mail-domain-access.log combined >>>> RewriteEngine on >>>> RewriteCond %{SERVER_NAME} =www.mail.domain.com [OR] >>>> RewriteCond %{SERVER_NAME} =mail.domain.com >>>> RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] >>>> </VirtualHost> >>>> >>>> >>>> >>>> >>>> >>>> >>>> This is my httpd -S readout for the internal server. Wondering if >>>> anything here is obvious. I don't >>>> read this stuff enough to know. So appreciate the eyes. >>>> >>>> Not sure what's causing the "already loaded" line below. >>>> >>>> [Mon Oct 06 13:50:40.068370 2025] [so:warn] [pid 10702:tid 10702] >>>> AH01574: module proxy_http_module is already loaded, skipping >>>> VirtualHost configuration: >>>> *:80 is a NameVirtualHost >>>> default server mail.domain.com >>>> (/etc/httpd/conf.d/mail.domain.com.conf:1) >>>> port 80 namevhost mail.domain.com >>>> (/etc/httpd/conf.d/mail.domain.com.conf:1) >>>> alias www.mail.domain.com >>>> port 80 namevhost postfixadmin.domain.com >>>> (/etc/httpd/conf.d/postfixadmin.conf:1) >>>> alias www.postfixadmin.domain.com >>>> *:443 is a NameVirtualHost >>>> default server mail.domain.com >>>> (/etc/httpd/conf.d/mail.domain.com-le-ssl.conf:3) >>>> port 443 namevhost mail.domain.com >>>> (/etc/httpd/conf.d/mail.domain.com-le-ssl.conf:3) >>>> alias www.mail.domain.com >>>> port 443 namevhost postfixadmin.domain.com >>>> (/etc/httpd/conf.d/postfixadmin-le-ssl.conf:3) >>>> alias www.postfixadmin.domain.com >>>> port 443 namevhost 127.0.0.1 (/etc/httpd/conf.d/ssl.conf:40) >>>> ServerRoot: "/etc/httpd" >>>> Main DocumentRoot: "/var/www/html" >>>> Main ErrorLog: "/etc/httpd/logs/error_log" >>>> Mutex authdigest-opaque: using_defaults >>>> Mutex watchdog-callback: using_defaults >>>> Mutex proxy-balancer-shm: using_defaults >>>> Mutex rewrite-map: using_defaults >>>> Mutex ssl-stapling-refresh: using_defaults >>>> Mutex authdigest-client: using_defaults >>>> Mutex dav_fs-lockdb: using_defaults >>>> Mutex lua-ivm-shm: using_defaults >>>> Mutex ssl-stapling: using_defaults >>>> Mutex proxy: using_defaults >>>> Mutex authn-socache: using_defaults >>>> Mutex ssl-cache: using_defaults >>>> Mutex default: dir="/etc/httpd/run/" mechanism=default >>>> Mutex cache-socache: using_defaults >>>> PidFile: "/etc/httpd/run/httpd.pid" >>>> Define: DUMP_VHOSTS >>>> Define: DUMP_RUN_CFG >>>> User: name="apache" id=48 >>>> Group: name="apache" id=48 >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On 10/6/2025 9:02 AM, Frank Gingras wrote: >>>> >>>> >>>> >>>> On Mon, Oct 6, 2025 at 11:47 AM Bret Stern < >>>> [email protected]> wrote: >>>> >>>>> Thanks for the comment. >>>>> >>>>> I had to remove one of my virtual hosts to to get this working. >>>>> >>>>> My virtual host settings were triple checked...but the DocumentRoot >>>>> kept reverting to the >>>>> wrong virtual host DocRoot. >>>>> >>>>> If the apache logic is to use the ServerName directive in the >>>>> [virthost *:80] as the deciding factor to set the DocRoot, then either >>>>> there is another >>>>> setting that I'm not aware of or there is a bug in the logic in >>>>> apache. When I have more time to >>>>> look, maybe it will surface. I have some other http servers in our >>>>> environments, so will check those results as well. >>>>> >>>>> Regardless, all of this is excellent learning experience. >>>>> Bret >>>>> >>>>> >>>>> On 10/5/2025 12:08 AM, E.S. Rosenberg wrote: >>>>> >>>>> Hey Bret, >>>>> >>>>> Unless I am very much mistaken you need to use the FQDN in the >>>>> ProxyPass directive and if you don't want to expose the "real" IP of >>>>> server >>>>> B to the Internet you would need to "override" the public DNS records >>>>> either in /etc/hosts or if you have the ability to present a different DNS >>>>> view to server A and don't mind that complication that would be another >>>>> option. >>>>> You could I guess also use some internal FQDN as long as the >>>>> virtualhosts on server B know to respond to that too and all the links >>>>> they >>>>> return are relative or rewritten to the domain server A presents. >>>>> >>>>> HTH, >>>>> Eliyahu - אליהו >>>>> >>>>> Op zo 5 okt 2025 om 09:34 schreef Bret Stern < >>>>> [email protected]>: >>>>> >>>>>> Can someone please comment. >>>>>> >>>>>> Apache server A is a physical server on my network. I has three >>>>>> virtual >>>>>> hosts serving three >>>>>> different websites. This appears to be working correctly. >>>>>> >>>>>> Introducing Apache server B >>>>>> Apache server A also acts as a reverse proxy to Apache server B which >>>>>> is >>>>>> another separate server with a static ip, and >>>>>> acts as my mail server. >>>>>> >>>>>> There are two virtual hosts defined on Apache server B, one is >>>>>> mail.domain.com and one is postfixadmin.domain.com >>>>>> >>>>>> My question is can Apache server A route (via reverse proxy) to the >>>>>> two >>>>>> virtual hosts on Apache server B. >>>>>> >>>>>> At this point it's close to working, but my postfixadmin.domain.com >>>>>> is >>>>>> having it's document root directed to >>>>>> virtual host mail.domain.com, instead of postfixadmin.domain.com >>>>>> >>>>>> I've spent hours checking my virt host configurations. Is there some >>>>>> other setting outside the virtual host configuration that >>>>>> is allowing the DocumentRoot to be hijacked? >>>>>> >>>>>> Can someone please confirm my setup is possible? >>>>>> Regards >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: [email protected] >>>>>> For additional commands, e-mail: [email protected] >>>>>> >>>>>> >>>>> >>>> You'll need to show the output from the apachectl -S command on all >>>> servers get a complete answer, to start. >>>> >>>> >>>> >>> The name of the config files are not relevant, indeed. >>> >>> That being said, your :80 vhosts make no sense. You use SSLProxyEngine >>> on, yet you explicitly redirect to https:// in the same vhost. You >>> have to decide if you want to proxy or redirect, first. >>> >>> >>> >> Hey Bret, >> >> Unless I am very much mistaken so far you have only shared the config of >> the internal server (server B) and not the reverse proxy configs. >> Based on what you are describing my suspicion is that your reverse proxy >> configuration is wrong/stripping the target hostname and thus you end up on >> whatever virtualhost matches by default. >> >> HTH, >> Eliyahu - אליהו >> >> >> Hey Bret, > As I suspected you are forwarding to the internal IP address, thus the > internal server sees a request for http://IP/ and has no way to select a > virtual host. > You can either do what I suggested in my original reply to maintain the > hostname or what you can also do is add/strip headers on the reverse proxy. > HTH, > Eliyahu - אליהו > > > Yes, you can, if you configure nsswitch to use the hosts file.
