Apache 2.2.9 + haproxy + stunnel + mod_rewrite fun

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey guys (and gals) -

Let me first start out with an overall description of what I hope to
accomplish, then talk about what I've spent all day doing.  Hopefully
someone can tell me what I'm doing wrong.

I have a requirement for a staging site to force users to SSL for a
particular CGI script.  I'm not running mod_ssl on Apache, rather SSL
is provided externally by stunnel (which decrypts traffic and then
passes it on). The reason that this is done is to remain as close to
our production configurations as conceivable in staging (in
production, SSL is handled by a hardware accelerator).  So here's a
picture of my setup (apologies for the horrid artwork):

------------
|   User   |
------------
     |
     |
     |
------------
| haproxy  |
| port 80  |
------------
     |
     |
     |
|------------|
| Apache     |----------|---------|
| port 56153 |          | Redirect|
--------------          | to SSL  |
     |                  -----------
     |                        |
     |                        |
     |                  |---------|
     |                  | stunnel |
     |                  |---------|
     |                       |
     |                       |
     |                  |---------|
     |                  |         |
     |------------------| haproxy |
                        | port 81 |
                        |         |
                        -----------

You'll notice that both SSL and non-SSL talk to the same Apache vhost.
I have the following mod_rewrite rules in place:


RewriteEngine On

# redirects to secure site
#RewriteRule ^/$ https://somehwere.com/cgi-bin/mt.cgi [R,L]

RewriteLog logs/rewrite.log
RewriteLogLevel 5
RewriteCond %{REQUEST_URI} ^/cgi-bin(.*)$
RewriteCond %{SERVER_PORT} !^81$
RewriteRule (.*)$ https://somewhere.com$1 [R,L]

However, as can be evidenced by the following snippet from the
rewrite.log, it appears that %{SERVER_PORT} is always evaluating to
80, even though port 80 is nowhere in the path of the request after
redirecting to SSL. I've verified by directly going to the webserver
on port 56153 that the value is as expected, as well as directly
through haproxy on port 81 (it correctly evaluates to 56153 and 81,
respectively).  This snippet is from a request that went to port 81 on
haproxy via port 443 decrypted by stunnel.

165.193.222.20 - - [11/Jan/2010:17:23:56 +0000]
[somewhere.com/sid#4f06840][rid#4f94f88/initial] (2) init rewrite
engine with requested uri /cgi-bin/mt.cgi
165.193.222.20 - - [11/Jan/2010:17:23:56 +0000]
[somewhere.com/sid#4f06840][rid#4f94f88/initial] (3) applying pattern
'^/$' to uri '/cgi-bin/mt.cgi'
165.193.222.20 - - [11/Jan/2010:17:23:56 +0000]
[somewhere.com/sid#4f06840][rid#4f94f88/initial] (3) applying pattern
'(.*)$' to uri '/cgi-bin/mt.cgi'
165.193.222.20 - - [11/Jan/2010:17:23:56 +0000]
[somewhere.com/sid#4f06840][rid#4f94f88/initial] (4) RewriteCond:
input='/cgi-bin/mt.cgi' pattern='^/cgi-bin(.*)$' => matched
165.193.222.20 - - [11/Jan/2010:17:23:56 +0000]
[somewhere.com/sid#4f06840][rid#4f94f88/initial] (4) RewriteCond:
input='80' pattern='!^81$' => matched
165.193.222.20 - - [11/Jan/2010:17:23:56 +0000]
[somewhere.com/sid#4f06840][rid#4f94f88/initial] (2) rewrite
'/cgi-bin/mt.cgi' -> 'https://somewhere.com/cgi-bin/mt.cgi'
165.193.222.20 - - [11/Jan/2010:17:23:56 +0000]
[somewhere.com/sid#4f06840][rid#4f94f88/initial] (2) explicitly
forcing redirect with https://somewhere.com/cgi-bin/mt.cgi
165.193.222.20 - - [11/Jan/2010:17:23:56 +0000]
[somewhere.com/sid#4f06840][rid#4f94f88/initial] (1) escaping
https://somewhere.com/cgi-bin/mt.cgi for redirect
165.193.222.20 - - [11/Jan/2010:17:23:56 +0000]
[somewhere.com/sid#4f06840][rid#4f94f88/initial] (1) redirect to
https://somewhere.com/cgi-bin/mt.cgi [REDIRECT/302]
165.193.222.20 - - [11/Jan/2010:17:23:56 +0000]
[somewhere.com/sid#4f06840][rid#4f99aa8/initial/redir#1] (2) init
rewrite engine with requested uri /302.html
165.193.222.20 - - [11/Jan/2010:17:23:56 +0000]
[somewhere.com/sid#4f06840][rid#4f99aa8/initial/redir#1] (3) applying
pattern '^/$' to uri '/302.html'
165.193.222.20 - - [11/Jan/2010:17:23:56 +0000]
[somewhere.com/sid#4f06840][rid#4f99aa8/initial/redir#1] (3) applying
pattern '(.*)$' to uri '/302.html'
165.193.222.20 - - [11/Jan/2010:17:23:56 +0000]
[somewhere.com/sid#4f06840][rid#4f99aa8/initial/redir#1] (4)
RewriteCond: input='/302.html' pattern='^/cgi-bin(.*)$' => not-matched
165.193.222.20 - - [11/Jan/2010:17:23:56 +0000]
[somewhere.com/sid#4f06840][rid#4f99aa8/initial/redir#1] (1) pass
through /302.html


I'm at a complete loss as to what I've done wrong here, or where port
80 is even coming from.

Thanks in advance for any help that you can give

-Jon

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux