Strange behavior with directives ProxyRemote and NoProxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi there,

most combinations of directives ProxyRemote and NoProxy seem not to work correctly in my setup. As I couldn't find anything meaningful on the Internet, I'm asking this list.

My setup is as follows: (quite complex but typical)

Ubuntu Server 22.04 LTS
Apache httpd 2.4.52 (not the latest but didn't find a bug/fix in recent change logs)

Apache httpd is (among other things) also used as a proxy for requests to the Internet (to make some external sites appear being served from our application's host to work around some XSS/CORS issues). This is done with some simple RewriteRules, e.g.

RewriteRule "/proxy/external/foo/0815/" "https://foo.com/svc/0815/"; [P]

The server is running in intranet 10.0.0.0. All requests to the Internet have to go through the company's proxy server 10.5.10.20:8080.

Additionally, the httpd must also proxy a local/intranet service that is running on host 10.5.20.100. Requests to this host MUST NOT go though the company's proxy, which ONLY serves external/Internet sites.

Important(?) side note: through DNS the server can only resolve local/intranet names and addresses. The DNS refuses to resolve external/Internet names and addresses.

According to the docs, configuring ProxyRemote and NoProxy should be quite simple:

# All requests go through the company's proxy
ProxyRemote "*" "http://10.5.10.20:8080";

# Direct requests to all intranet hosts
NoProxy ".mycompany.local" "10.0.0.0/8"

This configuration works for both Apache Tomcat as well as for e.g. curl and wget (though http(s)_proxy and no_proxy environment variables).

However, this does not work with Apache httpd. It either doesn't use the remote proxy at all or sends all requests to the remote proxy.

It seems like NoProxy doesn't work exactly as described in the docs.

If I add the local domain ".mycompany.local" and/or the whole local subnet "10.0.0.0/8" to NoProxy, the remote proxy is actually never used. Logs show that in this case Apache httpd tries to directly connect to the external URL and gives up after a certain time and responds with a 503 Service Unavailable status.

Why is the remote proxy not used here? Is it, because the remote proxy is located in the same domain and subnet 10.0.0.0/8?

The remote proxy isn't used when I set NoProxy to just "10.5.0.0/16". One (weird) explanation is that the remote proxy is in the 10.5.0.0 subnet as well. However, typically, the decision of when to use the remote proxy should not depend the remote proxy's address (but only of the requested address).

When leaving NoProxy empty, the remote proxy is used and proxying external services works properly.

There's still the intranet service on host 10.5.20.100 to be reverse proxied as well. I must at least exclude requests to this host from being sent to the remote proxy. Setting

NoProxy "10.5.20.0/24"   (or "10.5.20", "10.5.20.0")

seems being ignored by httpd, so all requests, including those to 10.5.20.100, are still sent to the remote proxy.

Setting NoProxy to the IP address of the internal service ("10.5.20.100") or to it's hostname ("myintlservice.mycompany.local") is also ignored. All requests still get forwarded to the remote proxy.

Even with LogLevel proxy:trace5 there are no lines logged that say anything about the decision of using the configured remote proxy or not. So, I was left to try and error (for several days).

The documentation is quite clear about NoProxy. However, from my point of view the NoProxy feature seems not to work properly at all.

I'm I missing something? Since my C/C++ skills are just below intermediate (and httpd source code is quite "compact"), I'm not able to help myself by reading the sources or even to spot any bugs there (if any).

My current workaround is to use ProxyRemoteMatch with an expression that does NOT match any intranet sites:

ProxyRemoteMatch "^https?://(?!(.*\.)?mycompany\.local\b)" "http://10.5.20.1:8080";

This regular expression is quite "expensive" since it uses a negative lookahead so, this solution is sub-optimal.

Carsten




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux