Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions
From: "Serge Dubrouski" <sergeyfd@xxxxxxxxx>
Date: Fri, 29 Sep 2006 10:03:09 -0600
Authentication-results: idunn.apache.osuosl.org header.from=sergeyfd@xxxxxxxxx; domainkeys=good
Delivered-to: apmail-httpd-users-archive@xxxxxxxxxxxxxx
Delivered-to: apmail-httpd-users-archive@xxxxxxxxxxxxxxxx
Delivered-to: mailing list users@xxxxxxxxxxxxxxxx
In-reply-to: <a61a0e000609290856h5604e8b8x6ff7dd585836a6e5@xxxxxxxxxxxxxx>
Mailing-list: contact users-help@xxxxxxxxxxxxxxxx; run by ezmlm
References: <s51acbc4.020@xxxxxxxxxxxxxxxx> <a61a0e000609280814x68f440dcve0c262ee84ff8b29@xxxxxxxxxxxxxx> <53e25c990609281414s5bd2ee4dt7c56517afa8e1e16@xxxxxxxxxxxxxx> <a61a0e000609281433r2a27167ex5cb4785dea5e6498@xxxxxxxxxxxxxx> <868cbbaa0609281441t6c450250i84c84bd6865ca1bb@xxxxxxxxxxxxxx> <a61a0e000609290741l1d04ee46of39ae351860c36ab@xxxxxxxxxxxxxx> <868cbbaa0609290834l78f2b21av338e7f8c870fca86@xxxxxxxxxxxxxx> <a61a0e000609290856h5604e8b8x6ff7dd585836a6e5@xxxxxxxxxxxxxx>
Reply-to: users@xxxxxxxxxxxxxxxx

If I'm right about absolute links the best way to fix that is make
your backend server  to produce relative links only, i.e. without
server name.
Other way is writing a special handler that would parse all aoutgoing
data and strip the name of backend servere from the links. Of course
it will lead into a huge performance lose.


On 9/29/06, Jeff DeFord <jeff.deford@xxxxxxxxx> wrote:

Hmmm, interesting.  So how do I get around this? I am perplexed to say
the least...

On 9/29/06, Serge Dubrouski <sergeyfd@xxxxxxxxx> wrote:
> I've tested kind of your configuration and everything works all right
> in mine test environment. So I still think that your real server
> (Oracle Application Server) somehow generates absolute (not realive)
> links. I'm almost sure in that.
>
> On 9/29/06, Jeff DeFord <jeff.deford@xxxxxxxxx> wrote:
> > AFAIK, it is all static content with some jsp pages. No CGI/PHP/Etc...
> > The real server is an Oracle application server, so all of the web
> > content was derived from the installation process script "AutoConfig".
> >
> > My confusion is in trying to get the URL's rewritten and proxied that
> > go beyond the root level.  I have tried various combinations of
> > ProxyPass and ProxyPassReverse statements, Rewrite Rules, etc and so
> > far I can only get the root-level HTML to proxy and rewrite.
> >
> > so the real url
> > https://realserver:8050/some_page.html
> >
> > appears to be
> > https://proxyserver/some_page.html
> >
> > Just as it should.
> >
> > But mousing over or clicking any url with a directory path beyond "/"
> > shows that the URL does not get rewritten or proxied and I have tried
> > a myriad of combinations iwth ProxyPass/Reverse and RewriteRule
> > directives all to no avail.
> >
> > Here are the important bits of the httpd.conf file:
> >
> > <VirtualHost *:80>
> >   ServerName proxy_server
> >   RewriteEngine   On
> >   RewriteLogLevel 9
> >   RewriteLog      logs/rewrite_log
> >   ## Redirect all incoming HTTP requests to HTTPS locally before proxying.
> >   RewriteRule ^/(.*) https://proxy_server/$1 [R,L]
> > </VirtualHost>
> >
> >
> > <VirtualHost _default_:443>
> >   # General setup for the virtual host
> >   ServerName proxy_server
> >   SSLEngine on
> >   SSLOptions +StrictRequire
> >   SSLProtocol -all +TLSv1 +SSLv3
> >   SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
> >
> >   # Server Certificate:
> >   SSLCertificateFile conf/ssl.crt/server.crt
> >   # Server Private Key:
> >   SSLCertificateKeyFile conf/ssl.key/server.key
> >   # SSL Protocol Adjustments:
> >   SetEnvIf User-Agent ".*MSIE.*" \
> >   nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
> >   # Per-Server Logging:
> >   #CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x
> > %{SSL_CIPHER}x \"%r\" %b"
> >   CustomLog logs/ssl_request_log common
> >
> >   RewriteEngine   On
> >   RewriteLogLevel 9
> >   RewriteLog      logs/rewrite_log
> >
> >   ProxyRequests     Off
> >   SSLProxyEngine    On
> >   SSLProxyCACertificateFile conf/cacerts.crt
> >   ProxyPreserveHost On
> >   ProxyPass              /      https://real_server:8050/
> >   ProxyPassReverse  /      https://real_server:8050/
> > </VirtualHost>
> >
> >
> > I have tried putting proxy rules in the 443 virtual host
> > I have tried putting proxy rules in the IfModule mod_proxy.c section
> > I have tried rewrite rules in all kinds of places and all kinds of
> > combinations of proxy and rewrite directives...
> > But somehow I can't get the combination right.
> >
> > I want URLs from the real server like this one
> > https://real_server:8050/dir1/dir2/jsp/some_page.jsp
> >
> > to get proxied and appear as if they came from the proxy server
> > https://proxy_server/dir1/dir2/jsp/some_page.jsp
> >
> > I just don't know where to put the rules and if I need both porxy and
> > rewrite rules for every possible URL/directory structure combination
> > that exists on the real server.
> >
> > Any help or direction would be greatly appreciated.
> >
> > -=jeff
> >
> >
> > On 9/28/06, Serge Dubrouski <sergeyfd@xxxxxxxxx> wrote:
> > > What kind of "real" server do you have on backend? Does it have static
> > > content or dynamic? Could it be that your wrong links are generated on
> > > backend by PHP/ASP/CGI or any other dynamic application that uses
> > > $SEVER_NAME or some other variable to build absolute links?
> > >
> > > On 9/28/06, Jeff DeFord <jeff.deford@xxxxxxxxx> wrote:
> > > > For testing purposes, I'm using a self-signed sert on the proxy server
> > > > for the initial redirection, then the proxy server acts as a SSL
> > > > client for all proxied requests that are handed off to the app server
> > > > which is listening on port 8050 (SSL) using a real certificate.
> > > >
> > > > I copied the real cert file to the proxy server and put it in a file
> > > > called cacerts.crt and added the directive shown below to the
> > > > httpd.conf file:
> > > >
> > > > SSLProxyCACertificateFile conf/cacerts.crt
> > > >
> > > > In this configuration, the proxy server can be configured to be a SSL
> > > > client for many sites each having their own cert.
> > > >
> > > > My problem is getting the proxy server configured so that mod_proxy
> > > > and mod_rewrite do their job for the URLs on the app server that are
> > > > below the root level and incorporate multiple levels of directories in
> > > > the URL. It all works great for foor-level URL's.
> > > >
> > > > I hope I answered your question. Now if someone could help me answer mine...
> > > >
> > > > -=jeff
> > > >
> > > >
> > > > On 9/28/06, John king <johnking06@xxxxxxxxx> wrote:
> > > > > Where is your server cert installed? If it is installed on the reverse proxy
> > > > > server, do you decrypte the incoming HTTPS
> > > > > traffic and re-encrypte it again in the proxy server before sending it to
> > > > > the next host?
> > > > >
> > > > >
> > > > > On 9/28/06, Jeff DeFord <jeff.deford@xxxxxxxxx> wrote:
> > > > > > Not sure if that would work since all requests are HTTPS...
> > > > > > Can you elaborate?
> > > > > >
> > > > > > Here are the modules I compiled in when I built Apache:
> > > > > > # ./httpd -l
> > > > > > Compiled in modules:
> > > > > >   core.c
> > > > > >   mod_access.c
> > > > > >   mod_auth.c
> > > > > >   mod_log_config.c
> > > > > >   mod_headers.c
> > > > > >   mod_setenvif.c
> > > > > >   mod_proxy.c
> > > > > >   proxy_connect.c
> > > > > >   proxy_ftp.c
> > > > > >   proxy_http.c
> > > > > >   mod_ssl.c
> > > > > >   prefork.c
> > > > > >   http_core.c
> > > > > >   mod_mime.c
> > > > > >   mod_status.c
> > > > > >   mod_dir.c
> > > > > >   mod_rewrite.c
> > > > > >   mod_so.c
> > > > > >
> > > > > >
> > > > > > On 9/27/06, Jim BAO <JXB6@xxxxxxx> wrote:
> > > > > > > Did you try HTTP Connect?
> > > > > > >
> > > > > > > >>> jeff.deford@xxxxxxxxx 9/27/2006 10:35 AM >>>
> > > > > > > All:
> > > > > > >
> > > > > > > I have some questions regarding the way to implement
> > > > > > > Apache as a reverse proxy server using mod_rewrite in order to mask the
> > > > > > > real
> > > > > > > URLs. Users will connect to the proxy, then the proxy will connect to
> > > > > > > the real server that is listening on port 8050 (SSL)
> > > > > > >
> > > > > > >
> > > > > > > So far this is what I have working:
> > > > > > >
> > > > > > > Proxy server listining on port 80 and on 443 and I am
> > > > > > > using a rewrite rule to force a rediect to 443 only as shown below:
> > > > > > >
> > > > > > >  ## Redirect all incoming HTTP requests to HTTPS locally before
> > > > > > > proxying.
> > > > > > >  RewriteRule ^/(.*) https://proxy.server.com/$1 [R,L]
> > > > > > >
> > > > > > > This works just as expected as my initial http connection gets forced
> > > > > > > to https.
> > > > > > >
> > > > > > > Then I have the following proxy statements set up as shown below for
> > > > > > > the default SSL virtual host on the proxy server:
> > > > > > >
> > > > > > >  ProxyRequests     Off
> > > > > > >  SSLProxyEngine    On
> > > > > > >  SSLProxyCACertificateFile conf/cacerts.crt
> > > > > > >  ProxyPreserveHost On
> > > > > > >  ProxyPass         / https://real.server.com:8050/
> > > > > > >  ProxyPassReverse  / https://real.server.com:8050/
> > > > > > >
> > > > > > > This all works great for all of the base URLs on the root level. The
> > > > > > > home
> > > > > > > page URLs on the real server get rewritten and appear to have
> > > > > > > originated from the proxy server when I mouse over or
> > > > > > > click on a root-level URL.
> > > > > > >
> > > > > > > However, any URL with a subdirectory below the root level on the real
> > > > > > > server does not get rewritten and the real URL (the complete URL on
> > > > > > > the real server including the port number 8050) is visible on the
> > > > > > > proxied web page.
> > > > > > >
> > > > > > > Now, how do go I about getting this to work for all of the URLs with
> > > > > > > subdirectories? I have read through the documentation and I am stuck.
> > > > > > >
> > > > > > > Do I need rewrite rules for each URL that has a subdirectly below the
> > > > > > > root with a subsequent ProxyPass and ProxyPassReverse statement?
> > > > > > >
> > > > > > > Do my rewrite rules need to use the proxy flag [P]? Or will they work
> > > > > > > once written to mimic the root-level rules?
> > > > > > >
> > > > > > > Many thanks in advance for any help that you may provide....
> > > > > > >
> > > > > > >
> > > > > > > -=jeff
> > > > > > >
> > > > > > >
> > > > > ---------------------------------------------------------------------
> > > > > > > The official User-To-User support forum of the Apache HTTP Server
> > > > > > > Project.
> > > > > > > See <URL: http://httpd.apache.org/userslist.html> for
> > > > > more info.
> > > > > > > To unsubscribe, e-mail:
> > > > > users-unsubscribe@xxxxxxxxxxxxxxxx
> > > > > > >   "   from the digest:
> > > > > users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > > > > > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > > > > > >
> > > > > > >
> > > > > ---------------------------------------------------------------------
> > > > > > > The official User-To-User support forum of the Apache HTTP Server
> > > > > Project.
> > > > > > > See <URL: http://httpd.apache.org/userslist.html> for
> > > > > more info.
> > > > > > > To unsubscribe, e-mail:
> > > > > users-unsubscribe@xxxxxxxxxxxxxxxx
> > > > > > >   "   from the digest:
> > > > > users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > > > > > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > ---------------------------------------------------------------------
> > > > > > The official User-To-User support forum of the Apache HTTP Server Project.
> > > > > > See <URL: http://httpd.apache.org/userslist.html> for
> > > > > more info.
> > > > > > To unsubscribe, e-mail:
> > > > > users-unsubscribe@xxxxxxxxxxxxxxxx
> > > > > >    "   from the digest:
> > > > > users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > > > > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > The official User-To-User support forum of the Apache HTTP Server Project.
> > > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > > >    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > > >
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > >   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> >    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Follow-Ups:
- Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions
  - From: Serge Dubrouski

References:
- Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions
  - From: Jim BAO
- Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions
  - From: Jeff DeFord
- Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions
  - From: John king
- Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions
  - From: Jeff DeFord
- Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions
  - From: Serge Dubrouski
- Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions
  - From: Jeff DeFord
- Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions
  - From: Serge Dubrouski
- Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions
  - From: Jeff DeFord

Prev by Date: Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions
Next by Date: Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions
Previous by thread: Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions
Next by thread: Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]