ProxyPassMatch directive problems - apache2

We have an environment with Apache 2.2.11 acting as front end to incoming connections to a Tomcat backend server. We are using the following directives in the http-ssl.conf, which works great when not trying to catch 403 errors:
SetEnvIf COMPANY EDLP 4.0.1 NLEDLPKEY=true
General setup for the virtual host
DocumentRoot "C:/xampp/htdocs/"
ServerName localhost:443
ServerAdmin admin#localhost
ProxyRequests Off
ProxyPassMatch / htp://tomcat.company.com**<-- been having issues with this directive (using only one "t" in http to bypass this sites new user can only post one URL per question limitation**
ProxyPassReverse / htp://tomcat.company.com
As you can see we are using the mod_access (now called mod_authz_host in Apache 2.2) module to pass a variable called NLEDLPKEY so that only (Internet Explorer) clients with this variable could access Tomcat via SSL. Also, I am trying to not only reverse proxy SSL connections, but also to redirect the 403 errors (for people without the variable) to a specified page (error_page.html). I have tried:
ProxyPassMatch "^[^(/error_page.html)]" htp://tomcat.company.com and also tried
ProxyPassMatch “^(?!/error_page.html)” htp://tomcat.company.com
to see if it is possible to redirect to the error page and not get the below message:
Forbidden
You don't have permission to access /RDS on this server. <--RDS is just a directory-->
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 Server at apache-company Port 443
Any help would be appreciated
R.

I ran into this issue recently - it took a bit of hunting but here's how I fixed it:
In /etc/apache2/mods-available/proxy.conf (Ubuntu - YMMV) change it to look like the following:
<Proxy *>
AddDefaultCharset off
Order deny,allow
Deny from all
Allow from all
</Proxy>
It's also important to note that for reverse proxies, it is not necessary to have ProxyRequests On configured and doing so in conjunction with Allow from all is hazardous. (Can be used by spammers to send mail via your proxy.)

Related

How to pass cookie to subdomain in Apache

Lets assume I have project on .NET and is required to develop frontend for some additional module on ReactJS. According to requirements, I can login only on backend side (it has it's own UI) and frontend on React should be a standalone application. I can authorize on frontend side with backend API by passing cookies (that I get after login on backend) in Header.
I have placed source code to /var/www/project so there is such structure:
/var/www/project/backend - .NET serves to 127.0.0.1:5000
/var/www/project/frontend - I have generated a static build from ReactJS to /var/www/project/frontend/index.html
My Apache configuration:
<VirtualHost *:80>
ServerName project.com
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain.project.com
DocumentRoot /var/www/project/frontend/
<Directory "/">
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Backend works and I can access it at project.com. Frontend works also on subdomain.project.com. But I need backend to path cookie (e.g. http://prntscr.com/lgfikx) to frontend (where currently is http://prntscr.com/lgfjlx)
I have tried ProxyPassReverseCookiePath, ProxyPassReverseCookieDomain, Set-Cookie, but failed. Probably I have just used it wrong, but I have not found anywhere a working example. Answers on similar questions have not worked for me.
My final goal is to authorize frontend so I could talk to backend API. Can somebody tell me the best or just any working solution of how to do it?
If you can see the correct cookie in the WebDev tools, it's most likely that you set the cookie to HttpOnly and didn't make it available to JavaScript in the first place.
If your backend is aware of the domain name used (the cookies it sets should say .project.com in the Domain column of your web developer tools and not 127.0.0.1 or localhost), your frontend app should be able to access the cookies as well.
You only need the ProxyPassReverseCookieDomain if your backend server is using a different domain name than the one the reverse proxy uses. (i.e.: backend lives at domain.com, but you're accessing it through a reverse proxy at project.com)

Apache2 conf file redirecting requests for other enabled sites

I'm running apache2 on ubuntu 16.04. I've configured apache2 to run multiple sites. One of the sites has https setup and to help support this I've added the following rule to redirect http requests to use https:
<VirtualHost *:80>
ServerName http://example.com
Redirect permanent / https://example.com/
</VirtualHost>
This has been too much of a blanket rule as it's redirecting other site's https requests to the domain above.
How can I re-configure the conf above to only redirect http requests for example.com and not the other sites on the same server?
The first listed virtualhost for each host:port acts as the default, catching all unmatched ServerNames. Make sure you don't define your special-case first.
See apachectl -S output for a summary of where your vhosts are loaded from and which one is the default.

Reverse Proxy Solr behind Apache Web server

I have an existing apache web server (2.2.15), configured with various security details (https only / authentication / authorization / etc.). I can rely on this server to handle the access requirements to my solr installation.
I have a basic 'example' solr instance up and running on a separate machine. (Solr 4.8.0 )
I want to be able to redirect the url https://myserver/department/team/search/.... to the Solr instance running on another (private) machine http://solrserver:8983/
I have configured the apache server with:
ProxyPass /department/team/search/ http://solserver:8983/
ProxyPassReverse /department/team/search/ http://solserver:8983/
I have some success with this, the https is being handled, the authentication/access is handled, and so on.
When I browse to the the url it is even loading up the basic solr page, but the page, internally, has the following:
<script type="text/javascript">
var app_config = {};
app_config.solr_path = '\/solr';
app_config.core_admin_path = '\/admin\/cores';
</script>
And that (I believe) is causing the JavaScript code to try to call:
https://myserver/solr/admin/cores?wt=json&indexInfo=false&_=1399485239437
Instead of
https://myserver/department/team/search/solr/admin/cores?wt=json&indexInfo=false&_=1399485239437
I believe these two values are configurable ( app_config.solr_path and app_config.core_admin_path ) but I cannot find out how/where to do it......
Questions:
How do I change the values set for the app_config.solr_path and app_config.core_admin_path?
Alternatively, this may be the wrong way to do this entirely, is there a better way to do it? (though the authentication/security provided by the apache webserver is perfect right now....)
This works for me.
<VirtualHost *:8080>
ServerName solr.xyz.com.br
ProxyPreserveHost on
ProxyRequests off
RewriteEngine On
RewriteRule ^\/solr(.*)$ $1 [L,R]
ProxyPass / ajp://localhost:8009/solr/
ProxyPassReverse / ajp://localhost:8009/solr/
</VirtualHost>
I know this might be out of context, but I would recommend replacing Apache with NGINX, much much simpler configuraiton. All you need is the following in nginx.conf:
location /solr/select {
proxy_pass http://YourSolrServer:8983/solr/select;
proxy_buffering on;
}
You can change the first /solr/select with whatever path you want (eg. /department/team/search/). So simple, so elegant.
Reference: https://groups.google.com/forum/#!topic/ajax-solr/pLtYfm83I98

How to add custom header and i should access only through https in apache 2.0

I have configured http and https with different port number in apache2.0 and now i need to add custom header called headerssl and this header must say "hi it took D=345 microsecond to serve you." It should be accessible only through https site.
Refer to this mod_ssl guide to setup an SSL enabled site, a default Apache installation includes a sample SSL site for reference. You may use that as a starting point and customize it for your configuration.
Refer to this mod_headers guide to configure custom headers. Use the following syntax with mod_headers, but place this line within an SSL config, see the example below:
<VirtualHost *:443>
ServerName www.example.com
SSLEngine on
SSLCertificateFile "/path/to/www.example.com.cert"
SSLCertificateKeyFile "/path/to/www.example.com.key"
Header set headerssl "Hi it took D = %D microseconds to serve you"
</VirtualHost>

Redirecting https requests to two different weblogic servers using the Weblogic proxy and Apache2

I have a server serverA running a weblogic application App1, with base url /app1/ on port 7001, and another server serverB, running a weblogic application App2, with base url /app2/ on port 8001. Both servers run Solaris, Apache2 and Weblogic 9.2
(details changed, but these are representantive)
In other words, app1 could be accessed on
http://serverA:7001/app1/
and app2 on
http://serverB:8001/app2/
However, the customer requires that all access to the applications use https on port 443 to server1.
If there was only one application, I could use a virtual host and set the handler for URLS beginning with /app1/ to the Weblogic proxy, which would forward them on to server 1 on port 7001.
With two apps, I would need another virtual host with another Location statement matching /app2/ and forwarding to the current server on port 8001 ... but I don't see how this could work as the first virtual host will have done the SSL negotiation to determine the URL, and Apache presumably can't do that over when things fall through to the second virtual server.
So how do I handle this?
My current idea is to proxy all SSL requests arrving at server1 to the same server server1, on port 80 (so essentially just doing SSL termination), then adding two virtual hosts for the /app1/ and /app2/ URLs in the way described above.
Is this going to work? Have I missed something obvious about other ways of doing this?
EDIT: I think I may have missed that the Weblogic plugin can have several blocks each directing the page to different places. In which case this becomes easy.
I will test tomorrow when back at work and update the question
First, the must read resource for this is of course the official documentation : Installing and Configuring the Apache HTTP Server Plug-In (see also this previous answer for more links about the WLS 9 plugin).
As detailed in the section Configuring the Apache HTTP Server Plug-In, I'd define several IfModule, one for each application (clustered or not), and, indeed, several VirtualHost (which can include IfModule). There is an example in the documentation:
# VirtualHost1 = localhost:80
<VirtualHost 127.0.0.1:80>
DocumentRoot "C:/test/VirtualHost1"
ServerName localhost:80 <IfModule mod_weblogic.c>
#... WLS parameter ...
WebLogicCluster localhost:7101,localhost:7201
# Example: MatchExpression *.jsp <some additional parameter>
MatchExpression *.jsp PathPrepend=/test2
</IfModule>
</VirtualHost>
# VirtualHost2 = 127.0.0.2:80
<VirtualHost 127.0.0.2:80>
DocumentRoot "C:/test/VirtualHost1"
ServerName 127.0.0.2:80
<IfModule mod_weblogic.c>
#... WLS parameter ...
WebLogicCluster localhost:7101,localhost:7201
# Example: MatchExpression *.jsp <some additional parameter>
MatchExpression *.jsp PathPrepend=/test2
#... WLS parameter ...
</IfModule>
</VirtualHost> <IfModule mod_weblogic.c>
Note that this is a Multiple IP-Based Virtual Hosts configuration (and not Name-Based as stated in the documentation). But this is actually good because this is exactly what you need when using SSL as you can't use name-based virtual hosts. Quoting Why can't I use SSL with name-based/non-IP-based virtual hosts? from Apache's SSL/TLS Strong Encryption: FAQ
The reason is very technical, and a somewhat "chicken and egg" problem. The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established Apache/mod_ssl has to negotiate the SSL protocol parameters with the client. For this, mod_ssl has to consult the configuration of the virtual server (for instance it has to look for the cipher suite, the server certificate, etc.). But in order to go to the correct virtual server Apache has to know the Host HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL handshake is finished, but the information is needed in order to complete the SSL handshake phase. Bingo!
So, in the sampel above, modify the virtual hosts IP addresses and ports, the ServerName, adapt the IfModule to suit your needs (and set up DNS entries to point on the IPs) and there you go.
I don't have any experience with weblogic, so maybe I'm missing something important. But this sounds like a straightforward application for apache's reverse proxy capability. Set up an apache instance serving https, and configure two locations as follows:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<Location /app1>
ProxyPass http://serverA:7001/app1
ProxyPassReverse http://serverA:7001/app1
</Location>
<Location /app2>
ProxyPass http://serverB:8001/app2
ProxyPassReverse http://serverB:8001/app2
</Location>
The example config from the WebLogic 10.3.x documentation is a perfect fit for your question. Here it is with some other details added:
<VirtualHost _default_:443>
SSLEngine on
# other SSL options here...
LoadModule weblogic_module /home/Oracle/Middleware/wlserver_10.3/server/plugin/linux/x86_64/mod_wl_22.so
<IfModule mod_weblogic.c>
<Location /app1>
WebLogicHost serverA
WebLogicPort 7001
SetHandler weblogic-handler
</Location>
<Location /app2>
WebLogicHost serverB
WebLogicPort 8001
SetHandler weblogic-handler
</Location>
</IfModule>
</VirtualHost>
I use this and works fine.

Resources