On 4/25/2013 1:59 PM, Chris Arnold wrote:
Ooopppsss!! Anyway I can get a mod to delete my last email to the list? Sent from my iPhone On Apr 25, 2013, at 1:44 PM, "Chris Arnold" <carnold@xxxxxxxxxxxxxxxxxxx> wrote:Sorry to email you directly but i am doing this to give you the complete unedited config files. I don't want them on an indexed mailing list for security reasons. Either you or i can post back to the list so others are aware of the findings. So i have made the namevirtualhost edit in my listen.conf file: Listen 80 <IfDefine SSL> <IfDefine !NOSSL> <IfModule mod_ssl.c> # Listen 443 </IfModule> </IfDefine> </IfDefine> # Use name-based virtual hosting # # - on a specified address / port: # #NameVirtualHost 12.34.56.78:80 # # - name-based virtual hosting: # NameVirtualHost *:443 Here is the "main" ssl virtual host: <IfDefine SSL> <IfDefine !NOSSL> <VirtualHost *:443> #This will be the default vhost because the name starts with 000 # General setup for the virtual host #DocumentRoot "/srv/www/htdocs" ServerName teknerds.net:443 ServerAlias mail.* ifolder.* #This rewrites https://mail.anydomain.tld to our mail server RewriteEngine On RewriteCond %{HTTP_HOST} ^mail\. RewriteCond %{HTTPS} on RewriteRule ^/(.*) https://192.168.124.3/$1 [P] #RedirectMatch ^/$ /zimbra/ #This rewrites https://mail.anydomain.tld to our mail server #RewriteEngine On #RewriteLog /var/log/apache2/rewrite.log #RewriteLogLevel 3 #RewriteCond %{HTTP_HOST} ^apps\. #RewriteCond %{HTTPS} on #RewriteRule ^/(.*) https://192.168.123.7/rdweb/ [P] #RedirectMatch ^/$ /rdweb/ RewriteCond %{HTTP_HOST} ^webmail\. RewriteCond %{HTTPS} on RewriteRule ^/(.*) https://192.168.124.3/$1 [P]#This rewrites https://ifolder.anydomain.tld to our ifolder server#RewriteCond %{HTTP_HOST} ^ifolder\. #RewriteCond %{HTTPS} on #RewriteRule ^/(.*) https://192.168.123.4/ifolder/$1 [P] #RedirectMatch ^/$ /ifolder/ #This rewrites https://share.anydomain.tld to our alfresco server #RewriteCond %{HTTP_HOST} ^share\. #RewriteCond %{HTTPS} on #RewriteRule ^/(.*) http://192.168.123.3:8080/share/$1 [P]#ServerAdmin webmaster@xxxxxxxxxxxErrorLog /var/log/apache2/error_log TransferLog /var/log/apache2/access_log SSLProxyEngine On ProxyPreserveHost On ProxyPass /ifolder https://192.168.123.4/ifolder ProxyPassReverse /ifolder https://192.168.123.4/ifolder ProxyPass /simias10 https://192.168.123.4/simias10 ProxyPassReverse /simias10 https://192.168.123.4/simias10 ProxyPass /admin https://192.168.123.4/admin ProxyPassReverse /admin https://192.168.123.4/admin ProxyPass /nps https://192.168.123.4/nps ProxyPassReverse /nps https://192.168.123.4/nps#ProxyPass / https://192.168.124.3/#ProxyPassReverse / https://192.168.124.3/ #<Proxy *> # Order allow,deny # Allow from all #</Proxy> # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. Keep # in mind that if you have both an RSA and a DSA certificate you # can configure both in parallel (to also allow the use of DSA # ciphers, etc.) SSLCertificateFile /etc/apache2/ssl.crt/server.crt Here is the apps virtualhost file: <VirtualHost *:443> ServerName apps.teknerds.net SSLEngine On SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key ProxyPass / https://192.168.123.7/rdweb ProxyPassReverse / https://192.168.123.7/rdweb ErrorLog /var/log/apache2/apps.error_log TransferLog /var/log/apache2/apps.access_log </VirtualHost> With this present config, when going to https://apps.teknerds.net in IE 8, internet explorer can not display the web page. The apps.error log does not show anything in it except the certificate name not matching. Also in this present config, webmail stops working and ifolder stops working. These are in the "main" ssl virtualhost and you access them by https://mail.teknerds.net and https://teknerds.net/ifolder. I am going to undo the listen.conf edit and rename the apps ssl host file as we have customers that use these resources. Should you want access to the server, i can supply that, just let me know. Thanks for the help ----- Original Message ----- From: "Tom Evans" <tevans.uk@xxxxxxxxxxxxxx> To: users@xxxxxxxxxxxxxxxx Sent: Thursday, April 25, 2013 12:39:47 PM Subject: Re: Rewrite Rule On Thu, Apr 25, 2013 at 4:53 PM, Chris Arnold <carnold@xxxxxxxxxxxxxxxxxxx> wrote:On Apr 25, 2013, at 11:32 AM, "Tom Evans" wrote:It looks like you are rewriting it to it's current location. This leads to a loop. Why are you using rewrite rules anyway?Because reverse proxy does not work... The *only* way to get content from a backend is via reverse proxy.It seems like you want to reverse proxy from an apache server with a public IP to a backend webserver in your private LAN. Where do rewrite rules come in to this? Why are you checking the host name in your rewrite rules, instead of using vhosts? Why is this not your configuration:As I stated in an earlier post, apache does not start when more than 1 ssl virtual host (complains about overlap)Not using vhosts is frankly more trouble than it is worth. Use vhosts. Post about the problem that using vhosts gives you. You must be using the same certificate for both hostnames anyway (presumably a wildcard cert or using subjectAltName, or you just ignore the errors?), so the configuration should be pretty straightforward.ServerName apps.tld ProxyPass / https://192.168.123.7/ ProxyPassReverse / https://192.168.123.7/We have many different things that run on this server and apache handles them. When using "/" in your proxy config, everything stops working, email, other websites etc.So don't proxy from /, or add specific excludes for the paths you do not want to be proxied: ProxyPass /email ! ProxyPass / https://192.168.123.7/ Again, this problem goes away if you correctly separate out your separate hosts into their own vhost configuration.I'm very confused by what you're trying to achieve.I covered this in my first email but will try to describe it again: server behind an apache server that we need users to get to using https://apps.domain.tld. The app resides at http:///sub. We need apache to catch the https://apps.domain.tld request and send to https://another server/subNameVirtualHost *:443 <VirtualHost *:443> ServerName www.domain.tld SSLEngine On SSLCertificateFile .. SSLCertificateKeyFile .. # All your current directives that apply to www </VirtualHost> <VirtualHost *:443> ServerName apps.domain.tld SSLEngine On SSLCertificateFile .. SSLCertificateKeyFile .. ProxyPass / https://192.168.123.7/ ProxyPassReverse / https://192.168.123.7/ </VirtualHost> Cheers Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
Previewing your email would probably have been a good idea :) Frank --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|