Hi, I don't know the solution out of my head, but maybe pointing out what goes wrong helps you already. On 11.04.2012, at 18:11, Charlie Katz wrote: > Hi, as an interim solution in an internal reorganization of server resources, I > want to use mod_proxy as a reverse proxy to move the entire functionality of a > public-facing server (www.example.com) to an internal server > (internal.example.com). (configuration at end) > > https is used in this site only for logging in, after which a 302 redirect is > issued pointing to http://www.example.com/home.html, and the session continues > through http. I am having trouble getting ProxyPassReverse to rewrite the > Location header in the redirect properly. > > Here's the sequence: > -client sends POST login credentials to https://www.example.com/login.html So you are in the SSL VirtualHost context, in which the reply is evaluated as well. > -request is proxied by https://www.example.com to > https://internal.example.com/login.html > -login succeeds, respond with 302 redirect to > http://internal.example.com/home.html > -reply goes to https://www.example.com Which is the SSL VHost. > - ******** ProxyPassReverse rewrites the Location header > from http://internal.example.com/home.html to https://www.example.com/home.html Yes. The directive is: > ProxyPassReverse / http://internal.example.com/ It matches http://internal.example.com/ to the Location header value of http://internal.example.com/home.html, and replaces it with the /local path/ of '/' within the context of the /current virtual host/, using either the canonical hostname of the VHost or the original request's hostname depending on UseCanonicalName directive. So the result of ProxyPassReverse will *always* be a URL within the current VHost, but you need to send a redirect to your other, non-SSL VHost. You'll need a different or additional way to adjust the redirection than ProxyPassReverse (alone). One way could be accepting that the client will receive the HTTPS redirect URL, and when it follows that, explicitly redirect https://www.example.com/home.html to http://www.example.com/home.html This of course means that the client sees one more redirect. Another idea is using mod_headers to process the Location header in the proxy response. But I'm not sure that will work, depending on how Apache will chain mod_proxy and mod_headers in that case. > -reply received by client, which acts on the redirect > > The starred ******* step is what is going wrong, as the proxy is changing the > http to https despite the explicit "ProxyPassReverse / > http://internal.example.com"; line. > > I have tried many different tweaks to the configuration, but I always find that > the header is rewritten back to https despite my explicitly specifying http in > the response. This is the misunderstanding. The URL as second argument to the ProxyPassReverse directive is *not* used in the response in any way, it is only used to match a location header returned by a proxy backend to determine if and what to replace. The replacement is always the current host URL. > I feel like I must be misunderstanding something here. Can anyone help me > untangle it? > > Regards, > Charlie Katz HTH Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|