On Mon, Jun 22, 2009 at 9:10 PM, Scott Moseman<scmoseman@xxxxxxxxx> wrote:
> We have some SSL websites that proxy through to non-SSL websites on
> the inside. Here's a sample of how they are configured.
>
> <VirtualHost outside1.mysite.com:443>
> ProxyRequests Off
> ProxyPreserveHost On
> ProxyPass / http://inside:8000/subdirectory1/
> ProxyPassReverse / http://inside:8000/subdirectory1/
> ProxyPassReverseCookiePath /subdirectory1 /
> RewriteEngine On
> RewriteCond %{REQUEST_URI} ^/subdirectory1/(.*)
> RewriteRule ^/subdirectory1/(.*) /$1 [P]
> </VirtualHost>
>
> Internal websites that redirect by path (see below) work perfect, no problems.
>
> HTTP/1.1 302 Moved Temporarily
> Location: /subdirectory1/someotherpage.html
>
> Internal websites that redirect by full path (see below) cause a
> client timeout, because we don't allow port 80 from the outside.
>
> HTTP/1.1 302 Moved Temporarily
> Location: http://outside1.mysite.com/subdirectory2/someotherpage.html
>
> Obviously on an inbound non-SSL request, should I allow non-SSL, I
> could redirect to HTTPS. Is there anything I can do to rewrite the
> URL provided in the 302 request on its way out? Or is there nothing
> that Apache can do about that?
Normally that's what you have ProxyPassReverse for. The problem is
that your backend does a redirect to somewhere else than itself, so
your ProxyPassReverse statement does not get applied here.
Basically what ProxyPassReverse does is:
"If in a repsonse you see a location header with
http://inside:8000/subdirectory1/ replace it with /, then add your own
base url."
The best strategy would be to find out why your backend sends absolute
redirects this way, and try to get rid of them. This will save you the
trouble of having to contiously tweak your proxy.
Otherwise what you could try is add something like this:
ProxyPassReverse /subdirectory2/ http://outside1.mysite.com/subdirectory2/
This should cause the redirect to be rewritten to
https://outside1.mysite.com/subdirectory2/, as apache first rewrite
the Location header to /subdirectory2/, and then adds it's own
hostname, protocol and port.
Ofcourse you will also need to add proper proxy directives, as you
otherwise the request will still go nowhere.
So also add this:
ProxyPass / http://inside:8000/subdirectory2/
ProxyPassReverse / http://inside:8000/subdirectory2/
HTH,
Krist
--
krist.vanbesien@xxxxxxxxx
krist@xxxxxxxxxxxxx
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|