Re: Rewrite Rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Sorry to email you directly but i am doing this to give you the complete unedited config files. I don't want them on an indexed mailing list for security reasons. Either you or i can post back to the list so others are aware of the findings.

So i have made the namevirtualhost edit in my listen.conf file:

Listen 80


<IfDefine SSL>
    <IfDefine !NOSSL>
	<IfModule mod_ssl.c>

#	    Listen 443

	</IfModule>
    </IfDefine>
</IfDefine>


# Use name-based virtual hosting
# 
# - on a specified address / port:
#
#NameVirtualHost 12.34.56.78:80
#
# - name-based virtual hosting:
#
NameVirtualHost *:443

Here is the "main" ssl virtual host:

<IfDefine SSL>
<IfDefine !NOSSL>

<VirtualHost *:443>
	#This will be the default vhost because the name starts with 000

	#  General setup for the virtual host
	#DocumentRoot "/srv/www/htdocs"
	ServerName teknerds.net:443
	ServerAlias mail.* ifolder.*

	#This rewrites https://mail.anydomain.tld to our mail server
	RewriteEngine On
	RewriteCond %{HTTP_HOST} ^mail\.
	RewriteCond %{HTTPS} on
	RewriteRule ^/(.*) https://192.168.124.3/$1 [P]
	#RedirectMatch ^/$ /zimbra/

	#This rewrites https://mail.anydomain.tld to our mail server
	#RewriteEngine On
	#RewriteLog /var/log/apache2/rewrite.log
	#RewriteLogLevel 3
	#RewriteCond %{HTTP_HOST} ^apps\.
	#RewriteCond %{HTTPS} on
	#RewriteRule ^/(.*) https://192.168.123.7/rdweb/ [P]
	#RedirectMatch ^/$ /rdweb/

	RewriteCond %{HTTP_HOST} ^webmail\.
	RewriteCond %{HTTPS} on
	RewriteRule ^/(.*) https://192.168.124.3/$1 [P]
	
	#This rewrites https://ifolder.anydomain.tld to our ifolder server
	#RewriteCond %{HTTP_HOST} ^ifolder\.
	#RewriteCond %{HTTPS} on
	#RewriteRule ^/(.*) https://192.168.123.4/ifolder/$1 [P]
	#RedirectMatch ^/$ /ifolder/

	#This rewrites https://share.anydomain.tld to our alfresco server
	#RewriteCond %{HTTP_HOST} ^share\.
	#RewriteCond %{HTTPS} on
	#RewriteRule ^/(.*) http://192.168.123.3:8080/share/$1 [P]
	
	#ServerAdmin webmaster@xxxxxxxxxxx
	ErrorLog /var/log/apache2/error_log
	TransferLog /var/log/apache2/access_log

	SSLProxyEngine On
	ProxyPreserveHost On
	ProxyPass /ifolder https://192.168.123.4/ifolder
	ProxyPassReverse /ifolder https://192.168.123.4/ifolder
	ProxyPass /simias10 https://192.168.123.4/simias10
	ProxyPassReverse /simias10 https://192.168.123.4/simias10
	ProxyPass /admin https://192.168.123.4/admin
	ProxyPassReverse /admin https://192.168.123.4/admin
	ProxyPass /nps https://192.168.123.4/nps
	ProxyPassReverse /nps https://192.168.123.4/nps
	
	#ProxyPass / https://192.168.124.3/
	#ProxyPassReverse / https://192.168.124.3/
	#<Proxy *>
	#	Order allow,deny
	#	Allow from all
	#</Proxy>

	#   SSL Engine Switch:
	#   Enable/Disable SSL for this virtual host.
	SSLEngine on

	#   SSL Cipher Suite:
	#   List the ciphers that the client is permitted to negotiate.
	#   See the mod_ssl documentation for a complete list.
	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

	#   Server Certificate:
	#   Point SSLCertificateFile at a PEM encoded certificate.  If
	#   the certificate is encrypted, then you will be prompted for a
	#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
	#   in mind that if you have both an RSA and a DSA certificate you
	#   can configure both in parallel (to also allow the use of DSA
	#   ciphers, etc.)
	SSLCertificateFile /etc/apache2/ssl.crt/server.crt

Here is the apps virtualhost file:

<VirtualHost *:443>
  ServerName apps.teknerds.net
  SSLEngine On
  SSLCertificateFile /etc/apache2/ssl.crt/server.crt
  SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

  ProxyPass / https://192.168.123.7/rdweb
  ProxyPassReverse / https://192.168.123.7/rdweb
  
	ErrorLog /var/log/apache2/apps.error_log
	TransferLog /var/log/apache2/apps.access_log
</VirtualHost> 

With this present config, when going to https://apps.teknerds.net in IE 8, internet explorer can not display the web page. The apps.error log does not show anything in it except the certificate name not matching.
Also in this present config, webmail stops working and ifolder stops working. These are in the "main" ssl virtualhost and you access them by https://mail.teknerds.net and https://teknerds.net/ifolder. I am going to undo the listen.conf edit and rename the apps ssl host file as we have customers that use these resources.
Should you want access to the server, i can supply that, just let me know. Thanks for the help

----- Original Message -----
From: "Tom Evans" <tevans.uk@xxxxxxxxxxxxxx>
To: users@xxxxxxxxxxxxxxxx
Sent: Thursday, April 25, 2013 12:39:47 PM
Subject: Re:  Rewrite Rule

On Thu, Apr 25, 2013 at 4:53 PM, Chris Arnold
<carnold@xxxxxxxxxxxxxxxxxxx> wrote:
> On Apr 25, 2013, at 11:32 AM, "Tom Evans" wrote:
>
>> It looks like you are rewriting it to it's current location. This
>> leads to a loop.
>>
>> Why are you using rewrite rules anyway?
>
> Because reverse proxy does not work

...

The *only* way to get content from a backend is via reverse proxy.

>
>
>> It seems like you want to
>> reverse proxy from an apache server with a public IP to a backend
>> webserver in your private LAN. Where do rewrite rules come in to this?
>> Why are you checking the host name in your rewrite rules, instead of
>> using vhosts? Why is this not your configuration:
>>
>>
>
> As I stated in an earlier post, apache does not start when more than 1 ssl
> virtual host (complains about overlap)

Not using vhosts is frankly more trouble than it is worth. Use vhosts.
Post about the problem that using vhosts gives you. You must be using
the same certificate for both hostnames anyway (presumably a wildcard
cert or using subjectAltName, or you just ignore the errors?), so the
configuration should be pretty straightforward.

>
>
>> ServerName apps.tld
>> ProxyPass / https://192.168.123.7/
>> ProxyPassReverse / https://192.168.123.7/
>>
>
> We have many different things that run on this server and apache handles
> them. When using "/" in your proxy config, everything stops working, email,
> other websites etc.

So don't proxy from /, or add specific excludes for the paths you do
not want to be proxied:

ProxyPass /email !
ProxyPass / https://192.168.123.7/

Again, this problem goes away if you correctly separate out your
separate hosts into their own vhost configuration.

>
>>
>> I'm very confused by what you're trying to achieve.
>
> I covered this in my first email but will try to describe it again: server
> behind an apache server that we need users to get to using
> https://apps.domain.tld. The app resides at http:///sub. We need apache to
> catch the https://apps.domain.tld request and send to https://another
> server/sub
>


NameVirtualHost *:443

<VirtualHost *:443>
  ServerName www.domain.tld
  SSLEngine On
  SSLCertificateFile ..
  SSLCertificateKeyFile ..

  # All your current directives that apply to www
</VirtualHost>

<VirtualHost *:443>
  ServerName apps.domain.tld
  SSLEngine On
  SSLCertificateFile ..
  SSLCertificateKeyFile ..

  ProxyPass / https://192.168.123.7/
  ProxyPassReverse / https://192.168.123.7/
</VirtualHost>

Cheers

Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux