On 4/8/2020 4:11 PM, James H. H. Lampert wrote: > On 4/8/20 3:52 PM, Mark Eggers wrote: >>>> <Proxy "*"> >>>> Require ip 127 >>>> </Proxy> > > Dear Mr. Eggers (et al.): > > I'm still not clear on what that even *does* (and the official docs > leave me even more confused: "only allow hosts in . . . to access > content via your proxy"); could you (or somebody else) explain it? > Remember, while I may be (deservedly or otherwise) a guru on getting > Tomcat running on an IBM Midrange box, I have no illusions about having > the slightest clue what I'm doing with httpd. Yesterday, I was tearing > my hair out because certbot wasn't working, only to discover that I had > a malformed VirtualHost. > > And as to vendor-supplied installations, I agree with you. I'm rather > irritated with the "Debianism" of splitting Tomcat up so completely that > webapp contexts can be in at least two different places, and the general > "Linuxism" of *not* including manager and host-manager (although I've > never needed the latter) in the basic installation, and sometimes not > even including a default root. > > --
Basically, the <Proxy *> is applied to all the proxy statements in your configuration. See https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxy for some examples. The Require statement means only allow connections from what is required - in my example 127 gets mapped to 127.0.0.1 (localhost). So the configuration that I have given restricts all proxy connections to localhost, which means that no outside proxy connections are possible. This is a good thing, I think. So if I remember everything correctly, you could be really specific with the following: <Proxy "https://qux.baz.com"> Require ip 127.0.0.1 </Proxy> Place this inside the virtual host defined in the appropriate ssl.conf snippet. I think that you have an ssl.conf file per domain, right? Then in the non-ssl snippet, you would rewrite all the requests to go to HTTPS. Again, please verify this with an Apache HTTPD expert, and discuss this on the Apache HTTPD mailing list. I do all of this with mod_jk, so my configuration is quite a bit different. Again, I personally like the broad brush approach and then override specifics per virtual host. Sort of a combination of least permissions plus management by exception. . . . just my two cents /mde/
signature.asc
Description: OpenPGP digital signature