Re: Rewrite Rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/25/2013 1:59 PM, Chris Arnold wrote:
Ooopppsss!! Anyway I can get a mod to delete my last email to the list?

Sent from my iPhone

On Apr 25, 2013, at 1:44 PM, "Chris Arnold" <carnold@xxxxxxxxxxxxxxxxxxx> wrote:

Sorry to email you directly but i am doing this to give you the complete unedited config files. I don't want them on an indexed mailing list for security reasons. Either you or i can post back to the list so others are aware of the findings.

So i have made the namevirtualhost edit in my listen.conf file:

Listen 80


<IfDefine SSL>
    <IfDefine !NOSSL>
    <IfModule mod_ssl.c>

#        Listen 443

    </IfModule>
    </IfDefine>
</IfDefine>


# Use name-based virtual hosting
#
# - on a specified address / port:
#
#NameVirtualHost 12.34.56.78:80
#
# - name-based virtual hosting:
#
NameVirtualHost *:443

Here is the "main" ssl virtual host:

<IfDefine SSL>
<IfDefine !NOSSL>

<VirtualHost *:443>
    #This will be the default vhost because the name starts with 000

    #  General setup for the virtual host
    #DocumentRoot "/srv/www/htdocs"
    ServerName teknerds.net:443
    ServerAlias mail.* ifolder.*

    #This rewrites https://mail.anydomain.tld to our mail server
    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^mail\.
    RewriteCond %{HTTPS} on
    RewriteRule ^/(.*) https://192.168.124.3/$1 [P]
    #RedirectMatch ^/$ /zimbra/

    #This rewrites https://mail.anydomain.tld to our mail server
    #RewriteEngine On
    #RewriteLog /var/log/apache2/rewrite.log
    #RewriteLogLevel 3
    #RewriteCond %{HTTP_HOST} ^apps\.
    #RewriteCond %{HTTPS} on
    #RewriteRule ^/(.*) https://192.168.123.7/rdweb/ [P]
    #RedirectMatch ^/$ /rdweb/

    RewriteCond %{HTTP_HOST} ^webmail\.
    RewriteCond %{HTTPS} on
    RewriteRule ^/(.*) https://192.168.124.3/$1 [P]
#This rewrites https://ifolder.anydomain.tld to our ifolder server
    #RewriteCond %{HTTP_HOST} ^ifolder\.
    #RewriteCond %{HTTPS} on
    #RewriteRule ^/(.*) https://192.168.123.4/ifolder/$1 [P]
    #RedirectMatch ^/$ /ifolder/

    #This rewrites https://share.anydomain.tld to our alfresco server
    #RewriteCond %{HTTP_HOST} ^share\.
    #RewriteCond %{HTTPS} on
    #RewriteRule ^/(.*) http://192.168.123.3:8080/share/$1 [P]
#ServerAdmin webmaster@xxxxxxxxxxx
    ErrorLog /var/log/apache2/error_log
    TransferLog /var/log/apache2/access_log

    SSLProxyEngine On
    ProxyPreserveHost On
    ProxyPass /ifolder https://192.168.123.4/ifolder
    ProxyPassReverse /ifolder https://192.168.123.4/ifolder
    ProxyPass /simias10 https://192.168.123.4/simias10
    ProxyPassReverse /simias10 https://192.168.123.4/simias10
    ProxyPass /admin https://192.168.123.4/admin
    ProxyPassReverse /admin https://192.168.123.4/admin
    ProxyPass /nps https://192.168.123.4/nps
    ProxyPassReverse /nps https://192.168.123.4/nps
#ProxyPass / https://192.168.124.3/
    #ProxyPassReverse / https://192.168.124.3/
    #<Proxy *>
    #    Order allow,deny
    #    Allow from all
    #</Proxy>

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

    #   SSL Cipher Suite:
    #   List the ciphers that the client is permitted to negotiate.
    #   See the mod_ssl documentation for a complete list.
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

    #   Server Certificate:
    #   Point SSLCertificateFile at a PEM encoded certificate.  If
    #   the certificate is encrypted, then you will be prompted for a
    #   pass phrase.  Note that a kill -HUP will prompt again.  Keep
    #   in mind that if you have both an RSA and a DSA certificate you
    #   can configure both in parallel (to also allow the use of DSA
    #   ciphers, etc.)
    SSLCertificateFile /etc/apache2/ssl.crt/server.crt

Here is the apps virtualhost file:

<VirtualHost *:443>
  ServerName apps.teknerds.net
  SSLEngine On
  SSLCertificateFile /etc/apache2/ssl.crt/server.crt
  SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

  ProxyPass / https://192.168.123.7/rdweb
  ProxyPassReverse / https://192.168.123.7/rdweb

    ErrorLog /var/log/apache2/apps.error_log
    TransferLog /var/log/apache2/apps.access_log
</VirtualHost>

With this present config, when going to https://apps.teknerds.net in IE 8, internet explorer can not display the web page. The apps.error log does not show anything in it except the certificate name not matching.
Also in this present config, webmail stops working and ifolder stops working. These are in the "main" ssl virtualhost and you access them by https://mail.teknerds.net and https://teknerds.net/ifolder. I am going to undo the listen.conf edit and rename the apps ssl host file as we have customers that use these resources.
Should you want access to the server, i can supply that, just let me know. Thanks for the help

----- Original Message -----
From: "Tom Evans" <tevans.uk@xxxxxxxxxxxxxx>
To: users@xxxxxxxxxxxxxxxx
Sent: Thursday, April 25, 2013 12:39:47 PM
Subject: Re:  Rewrite Rule

On Thu, Apr 25, 2013 at 4:53 PM, Chris Arnold
<carnold@xxxxxxxxxxxxxxxxxxx> wrote:
On Apr 25, 2013, at 11:32 AM, "Tom Evans" wrote:

It looks like you are rewriting it to it's current location. This
leads to a loop.

Why are you using rewrite rules anyway?
Because reverse proxy does not work
...

The *only* way to get content from a backend is via reverse proxy.


It seems like you want to
reverse proxy from an apache server with a public IP to a backend
webserver in your private LAN. Where do rewrite rules come in to this?
Why are you checking the host name in your rewrite rules, instead of
using vhosts? Why is this not your configuration:
As I stated in an earlier post, apache does not start when more than 1 ssl
virtual host (complains about overlap)
Not using vhosts is frankly more trouble than it is worth. Use vhosts.
Post about the problem that using vhosts gives you. You must be using
the same certificate for both hostnames anyway (presumably a wildcard
cert or using subjectAltName, or you just ignore the errors?), so the
configuration should be pretty straightforward.


ServerName apps.tld
ProxyPass / https://192.168.123.7/
ProxyPassReverse / https://192.168.123.7/
We have many different things that run on this server and apache handles
them. When using "/" in your proxy config, everything stops working, email,
other websites etc.
So don't proxy from /, or add specific excludes for the paths you do
not want to be proxied:

ProxyPass /email !
ProxyPass / https://192.168.123.7/

Again, this problem goes away if you correctly separate out your
separate hosts into their own vhost configuration.

I'm very confused by what you're trying to achieve.
I covered this in my first email but will try to describe it again: server
behind an apache server that we need users to get to using
https://apps.domain.tld. The app resides at http:///sub. We need apache to
catch the https://apps.domain.tld request and send to https://another
server/sub

NameVirtualHost *:443

<VirtualHost *:443>
  ServerName www.domain.tld
  SSLEngine On
  SSLCertificateFile ..
  SSLCertificateKeyFile ..

  # All your current directives that apply to www
</VirtualHost>

<VirtualHost *:443>
  ServerName apps.domain.tld
  SSLEngine On
  SSLCertificateFile ..
  SSLCertificateKeyFile ..

  ProxyPass / https://192.168.123.7/
  ProxyPassReverse / https://192.168.123.7/
</VirtualHost>

Cheers

Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


Previewing your email would probably have been a good idea :)

Frank

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux