Re: Rewrite Rule
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Ooopppsss!! Anyway I can get a mod to delete my last email to the list?
Sent from my iPhone
On Apr 25, 2013, at 1:44 PM, "Chris Arnold" wrote:
> Sorry to email you directly but i am doing this to give you the complete unedited config files. I don't want them on an indexed mailing list for security reasons. Either you or i can post back to the list so others are aware of the findings.
>
> So i have made the namevirtualhost edit in my listen.conf file:
>
> Listen 80
>
>
>
>
>
>
> # Listen 443
>
>
>
>
>
>
> # Use name-based virtual hosting
> #
> # - on a specified address / port:
> #
> #NameVirtualHost 12.34.56.78:80
> #
> # - name-based virtual hosting:
> #
> NameVirtualHost *:443
>
> Here is the "main" ssl virtual host:
>
>
>
>
>
> #This will be the default vhost because the name starts with 000
>
> # General setup for the virtual host
> #DocumentRoot "/srv/www/htdocs"
> ServerName teknerds.net:443
> ServerAlias mail.* ifolder.*
>
> #This rewrites https://mail.anydomain.tld to our mail server
> RewriteEngine On
> RewriteCond %{HTTP_HOST} ^mail\.
> RewriteCond %{HTTPS} on
> RewriteRule ^/(.*) https://192.168.124.3/$1 [P]
> #RedirectMatch ^/$ /zimbra/
>
> #This rewrites https://mail.anydomain.tld to our mail server
> #RewriteEngine On
> #RewriteLog /var/log/apache2/rewrite.log
> #RewriteLogLevel 3
> #RewriteCond %{HTTP_HOST} ^apps\.
> #RewriteCond %{HTTPS} on
> #RewriteRule ^/(.*) https://192.168.123.7/rdweb/ [P]
> #RedirectMatch ^/$ /rdweb/
>
> RewriteCond %{HTTP_HOST} ^webmail\.
> RewriteCond %{HTTPS} on
> RewriteRule ^/(.*) https://192.168.124.3/$1 [P]
>
> #This rewrites https://ifolder.anydomain.tld to our ifolder server
> #RewriteCond %{HTTP_HOST} ^ifolder\.
> #RewriteCond %{HTTPS} on
> #RewriteRule ^/(.*) https://192.168.123.4/ifolder/$1 [P]
> #RedirectMatch ^/$ /ifolder/
>
> #This rewrites https://share.anydomain.tld to our alfresco server
> #RewriteCond %{HTTP_HOST} ^share\.
> #RewriteCond %{HTTPS} on
> #RewriteRule ^/(.*) http://192.168.123.3:8080/share/$1 [P]
>
> #ServerAdmin webmaster@xxxxxxxxxxx
> ErrorLog /var/log/apache2/error_log
> TransferLog /var/log/apache2/access_log
>
> SSLProxyEngine On
> ProxyPreserveHost On
> ProxyPass /ifolder https://192.168.123.4/ifolder
> ProxyPassReverse /ifolder https://192.168.123.4/ifolder
> ProxyPass /simias10 https://192.168.123.4/simias10
> ProxyPassReverse /simias10 https://192.168.123.4/simias10
> ProxyPass /admin https://192.168.123.4/admin
> ProxyPassReverse /admin https://192.168.123.4/admin
> ProxyPass /nps https://192.168.123.4/nps
> ProxyPassReverse /nps https://192.168.123.4/nps
>
> #ProxyPass / https://192.168.124.3/
> #ProxyPassReverse / https://192.168.124.3/
> #
> # Order allow,deny
> # Allow from all
> #
>
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> SSLEngine on
>
> # SSL Cipher Suite:
> # List the ciphers that the client is permitted to negotiate.
> # See the mod_ssl documentation for a complete list.
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> # Server Certificate:
> # Point SSLCertificateFile at a PEM encoded certificate. If
> # the certificate is encrypted, then you will be prompted for a
> # pass phrase. Note that a kill -HUP will prompt again. Keep
> # in mind that if you have both an RSA and a DSA certificate you
> # can configure both in parallel (to also allow the use of DSA
> # ciphers, etc.)
> SSLCertificateFile /etc/apache2/ssl.crt/server.crt
>
> Here is the apps virtualhost file:
>
>
> ServerName apps.teknerds.net
> SSLEngine On
> SSLCertificateFile /etc/apache2/ssl.crt/server.crt
> SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
>
> ProxyPass / https://192.168.123.7/rdweb
> ProxyPassReverse / https://192.168.123.7/rdweb
>
> ErrorLog /var/log/apache2/apps.error_log
> TransferLog /var/log/apache2/apps.access_log
>
>
> With this present config, when going to https://apps.teknerds.net in IE 8, internet explorer can not display the web page. The apps.error log does not show anything in it except the certificate name not matching.
> Also in this present config, webmail stops working and ifolder stops working. These are in the "main" ssl virtualhost and you access them by https://mail.teknerds.net and https://teknerds.net/ifolder. I am going to undo the listen.conf edit and rename the apps ssl host file as we have customers that use these resources.
> Should you want access to the server, i can supply that, just let me know. Thanks for the help
>
> ----- Original Message -----
> From: "Tom Evans"
> To: users@xxxxxxxxxxxxxxxx
> Sent: Thursday, April 25, 2013 12:39:47 PM
> Subject: Re: Rewrite Rule
>
> On Thu, Apr 25, 2013 at 4:53 PM, Chris Arnold
> wrote:
>> On Apr 25, 2013, at 11:32 AM, "Tom Evans" wrote:
>>
>>> It looks like you are rewriting it to it's current location. This
>>> leads to a loop.
>>>
>>> Why are you using rewrite rules anyway?
>>
>> Because reverse proxy does not work
>
> ...
>
> The *only* way to get content from a backend is via reverse proxy.
>
>>
>>
>>> It seems like you want to
>>> reverse proxy from an apache server with a public IP to a backend
>>> webserver in your private LAN. Where do rewrite rules come in to this?
>>> Why are you checking the host name in your rewrite rules, instead of
>>> using vhosts? Why is this not your configuration:
>>
>> As I stated in an earlier post, apache does not start when more than 1 ssl
>> virtual host (complains about overlap)
>
> Not using vhosts is frankly more trouble than it is worth. Use vhosts.
> Post about the problem that using vhosts gives you. You must be using
> the same certificate for both hostnames anyway (presumably a wildcard
> cert or using subjectAltName, or you just ignore the errors?), so the
> configuration should be pretty straightforward.
>
>>
>>
>>> ServerName apps.tld
>>> ProxyPass / https://192.168.123.7/
>>> ProxyPassReverse / https://192.168.123.7/
>>
>> We have many different things that run on this server and apache handles
>> them. When using "/" in your proxy config, everything stops working, email,
>> other websites etc.
>
> So don't proxy from /, or add specific excludes for the paths you do
> not want to be proxied:
>
> ProxyPass /email !
> ProxyPass / https://192.168.123.7/
>
> Again, this problem goes away if you correctly separate out your
> separate hosts into their own vhost configuration.
>
>>
>>>
>>> I'm very confused by what you're trying to achieve.
>>
>> I covered this in my first email but will try to describe it again: server
>> behind an apache server that we need users to get to using
>> https://apps.domain.tld. The app resides at http:///sub. We need apache to
>> catch the https://apps.domain.tld request and send to https://another
>> server/sub
>
>
> NameVirtualHost *:443
>
>
> ServerName www.domain.tld
> SSLEngine On
> SSLCertificateFile ..
> SSLCertificateKeyFile ..
>
> # All your current directives that apply to www
>
>
>
> ServerName apps.domain.tld
> SSLEngine On
> SSLCertificateFile ..
> SSLCertificateKeyFile ..
>
> ProxyPass / https://192.168.123.7/
> ProxyPassReverse / https://192.168.123.7/
>
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
[Index of Archives]
[Open SSH Users]
[Linux ACPI]
[Linux Kernel]
[Linux Laptop]
[Kernel Newbies]
[Security]
[Netfilter]
[Bugtraq]
[Squid]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Samba]
[Video 4 Linux]
[Device Mapper]