Well, P flag should be enough, but make sure the site you are redirecting to (the intranet web server) doesn't do a HTTP redirect. If it does (and if it doesn't, that's safer anyway), you must use ProxyPassReverse. Also, make sure you don't use "R" flag! But I guess it's not permitted to use it along with P anyway... Olivier Olivier CHIROUZE I&0 Infrastructure Volvo Information Technology > -----Original Message----- > From: Bruno Teixeira [mailto:brunoteixa@xxxxxxxxx] > Sent: 21 February 2007 11:46 > To: users@xxxxxxxxxxxxxxxx > Subject: Re: 403 Forbidden error with rewrite [P] flag > > Hi krist, > > thank you very much for your sugestion. It wasn't the only > problem with > my configuration - I also had "deny from all" in the > proxy.conf file - > but with the SSLProxy On directive the rewrite now works. > > But I still have a problem: the original address isn't kept in the > address bar... this is a problem because the proxy is the > only external > IP address. How can I keep the original address in the > browser's address > bar? Isn't this possible with the rewrite [P]? I have read that it is > possible with an "old fashion" reverse proxy, doesn't the [P] > do the same? > > Thank you for your time > > Bruno Teixeira > > Krist van Besien wrote: > > On 2/16/07, Bruno Teixeira <brunoteixa@xxxxxxxxx> wrote: > > > >> I've been browsing the web for a solution to my problem, > but all I can > >> find are similar problems, no solutions... > >> > >> I am using a rewrite rule to rewrite "http://192.168.2.251/secure"; > >> requests to "https://192.168.2.198/";. This works fine, but > I don't the > >> user to see the "198 IP", but to always the "251". To > accomplish this, I > >> thought I only had to add a "P flag" to the rewrite rule, > but when I do > >> so, I get a "403 Forbidden error". I have the proxy module loaded! > >> > >> I would really appreciate some input. Thank you for your time. > > > > You're welcome. > > > >> > >> I get this on the error log: > >> > >> [Fri Feb 16 11:13:14 2007] [error] [client 192.168.2.251] > client denied > >> by server configuration: proxy:https://192.168.2.198 > >> > >> and this on the rewrite log: > >> > >> 192.168.2.251 - - [16/Feb/2007:11:16:04 +0000] > >> [192.168.2.251/sid#8162818][rid#82a2440/initial] (2) init > rewrite engine > >> with requested uri /secure > >> 192.168.2.251 - - [16/Feb/2007:11:16:04 +0000] > >> [192.168.2.251/sid#8162818][rid#82a2440/initial] (2) > rewrite /secure -> > >> https://192.168.2.198 > >> 192.168.2.251 - - [16/Feb/2007:11:16:04 +0000] > >> [192.168.2.251/sid#8162818][rid#82a2440/initial] (2) forcing > >> proxy-throughput with https://192.168.2.198 > >> 192.168.2.251 - - [16/Feb/2007:11:16:04 +0000] > >> [192.168.2.251/sid#8162818][rid#82a2440/initial] (1) > go-ahead with proxy > >> request proxy:https://192.168.2.198 [OK] > > > > What I see here is that a) your rewrite works, but b) your proxy > > config has some problems. > > > > The problem is that proxying to an https server requires a bit more > > than just adding a P to a rewrite statement. When proxing to https > > your apache server has to take on the role of an SSL > client, which the > > standard out of the box apache hasn't been set up for. > > > > You need at least the following directives: > > > > SSLProxyEngine on > > SSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/ > > > > And then in /usr/local/apache2/conf/ssl.crt/ (or whichever dir you > > configure here) you need to add at least the root certificate of the > > CA used to sign the SSL certificate you use on your https server. > > > > You can find out more about this by reading up on the SSLProxy > > directives in the manual. > > > > Krist > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|