You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Udo Rader <ud...@bestsolution.at> on 2008/02/21 21:30:14 UTC
[users@httpd] reverse https to http proxy not fully working
Hi,
I have the following setup:
an externally reachable https server with mod_proxy enabled that should
reverse proxy requests to other servers within the DMZ:
inet ---> https reverse proxy ---> http hosts
Now everything "almost" works, except for some (not all) urls not
correctly rewritten, most notably stylesheet urls.
When the orginal (internal) url would look like
http://internal.example.com/css/style.css
the reverse proxy converts it into
http://reverseproxy.example.com/css/style.css
instead of the correct
https://reverseproxy.example.com/css/style.css
Unfortunately I don't seem to be able to overcome this problem, so maybe
someone else has an idea ...
My reverse proxying configuration looks like this:
--------CUT-------
ProxyPass /someApp/ http://internal.example.com/someApp/
ProxyHTMLURLMap http://internal.example.com/someApp/ /someApp
<Location /someApp/>
ProxyPassReverse /
SetOutputFilter proxy-html
ProxyHTMLURLMap / /someApp/
ProxyHTMLURLMap /someApp /someApp
</Location>
--------CUT-------
As you see, I've also included mod_proxy_html, but that does not change
anything.
Any ideas?
--
Udo Rader
bestsolution.at EDV Systemhaus GmbH
http://www.bestsolution.at
Re: [users@httpd] reverse https to http proxy not fully working
Posted by Udo Rader <ud...@bestsolution.at>.
On Thu, 2008-02-21 at 22:43 +0100, Udo Rader wrote:
> Am Donnerstag, den 21.02.2008, 20:44 +0000 schrieb Nick Kew:
> > > <Location /someApp/>
> > > ProxyPassReverse /
> > > SetOutputFilter proxy-html
> > > ProxyHTMLURLMap / /someApp/
> > > ProxyHTMLURLMap /someApp /someApp
> > > </Location>
> >
> > Heh. I really should update that tutorial (not that the
> > above is wrong - it's just suboptimal nowadays).
>
> Oh yes, what would the world be without tutorials :-)
>
> You say it is suboptimal ... so what was the better way?
Nick, do you have any hints how to do it better?
... I am eager to learn something new :-)
Thanks in advance!
--
Udo Rader
bestsolution.at EDV Systemhaus GmbH
http://www.bestsolution.at
>
Re: [users@httpd] reverse https to http proxy not fully working
Posted by Udo Rader <ud...@bestsolution.at>.
Am Donnerstag, den 21.02.2008, 20:44 +0000 schrieb Nick Kew:
> > <Location /someApp/>
> > ProxyPassReverse /
> > SetOutputFilter proxy-html
> > ProxyHTMLURLMap / /someApp/
> > ProxyHTMLURLMap /someApp /someApp
> > </Location>
>
> Heh. I really should update that tutorial (not that the
> above is wrong - it's just suboptimal nowadays).
Oh yes, what would the world be without tutorials :-)
You say it is suboptimal ... so what was the better way?
--
Udo Rader
bestsolution.at EDV Systemhaus GmbH
http://www.bestsolution.at
Re: [users@httpd] reverse https to http proxy not fully working
Posted by Nick Kew <ni...@webthing.com>.
On Thu, 21 Feb 2008 21:30:14 +0100
Udo Rader <ud...@bestsolution.at> wrote:
> ProxyHTMLURLMap http://internal.example.com/someApp/ /someApp
You have unmatched trailing slashes. If that gets invoked,
it'll typically generate a redirect from mod_dir when the link
gets followed.
> <Location /someApp/>
> ProxyPassReverse /
> SetOutputFilter proxy-html
> ProxyHTMLURLMap / /someApp/
> ProxyHTMLURLMap /someApp /someApp
> </Location>
Heh. I really should update that tutorial (not that the
above is wrong - it's just suboptimal nowadays).
> Any ideas?
>
Figure out where the offending redirect is coming from.
The error log is your friend.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: re[users@httpd] verse https to http proxy
not fully working
Posted by Udo Rader <ud...@bestsolution.at>.
On Sat, 2008-02-23 at 10:37 -0800, Andrew2008 wrote:
>
>
> udotirol wrote:
> >
> > So in order to solve the riddle myself, the problem was really well
> > hidden and not due to a the configuration I posted above.
> >
> > The problem was that I had mod_deflate globally enabled for the https
> > host (being not only a reverse proxy but also a "regular" webserver as
> > well), resulting in mod_deflate obviously having some precedence over
> > mod_proxy_html and that again resulting in mod_proxy_html not converting
> > anything.
> >
> > Disabling mod_deflate globally and enabling it only where I really
> > needed it, solved the problem.
> >
> > However, this looks like a mod_proxy_html <=> mod_deflate interaction
> > problem.
> >
> >
>
> Hi there...is it okay if you can post all the changes that you made to your
> httpd.conf in order to make things work please? Sorry, i'm not familiar
> with the mod_deflate module and I'm new to Apache. I think I have the same
> problem that you have. Thanks in advance.
Sure, but there is not much magic in there. What I mostly did was to
remove mod_deflate from places (that is, Locations and Directories)
where I don't need/want it in reality instead of having it enabled
globally.
So my configuration for the reverse proxy approximately looks like this:
------CUT------
<VirtualHost 172.17.3.98:443>
ServerName secure.example.com:443
[...]
<Proxy *>
Order Deny,Allow
Deny from all
Allow from all
</Proxy>
# ProxyHTMLLogVerbose On
# produces huge amounts of logging data, because
# mod_ssl is debug logging now as well
# LogLevel Debug
DeflateCompressionLevel 6
# conflicts with mod_proxy_html, at least in my case :-)
# AddOutputFilterByType DEFLATE text/html text/plain text/xml
ProxyHTMLInterp On
ProxyHTMLExtended On
ProxyPass /someApp/ http://internal.example.com:1520/someApp/
ProxyHTMLURLMap http://internal.example.com/someApp/ /someApp/
<Location /someApp/>
ProxyPassReverse /
SetOutputFilter proxy-html
ProxyHTMLURLMap / /someApp/
ProxyHTMLURLMap /someApp /someApp
</Location>
<Location /deflatedStuff/>
SetOutputFilter DEFLATE
[...]
</Location>
------CUT------
The best indication that mod_proxy_html was not doing anything was by
turning on it's logging features and finding no traces of it in the log
file afterwards.
--
Udo Rader
bestsolution.at EDV Systemhaus GmbH
http://www.bestsolution.at
[users@httpd] Re: re[users@httpd] verse https to http proxy not fully working
Posted by Andrew2008 <ki...@hotmail.com>.
udotirol wrote:
>
> So in order to solve the riddle myself, the problem was really well
> hidden and not due to a the configuration I posted above.
>
> The problem was that I had mod_deflate globally enabled for the https
> host (being not only a reverse proxy but also a "regular" webserver as
> well), resulting in mod_deflate obviously having some precedence over
> mod_proxy_html and that again resulting in mod_proxy_html not converting
> anything.
>
> Disabling mod_deflate globally and enabling it only where I really
> needed it, solved the problem.
>
> However, this looks like a mod_proxy_html <=> mod_deflate interaction
> problem.
>
>
Hi there...is it okay if you can post all the changes that you made to your
httpd.conf in order to make things work please? Sorry, i'm not familiar
with the mod_deflate module and I'm new to Apache. I think I have the same
problem that you have. Thanks in advance.
--
View this message in context: http://www.nabble.com/reverse-https-to-http-proxy-not-fully-working-tp15620512p15655520.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] reverse https to http proxy not fully working
Posted by Udo Rader <ud...@bestsolution.at>.
On Fri, 2008-02-22 at 15:03 +0000, Nick Kew wrote:
> On Fri, 22 Feb 2008 15:56:53 +0100
> Udo Rader <ud...@bestsolution.at> wrote:
>
> > However, this looks like a mod_proxy_html <=> mod_deflate interaction
> > problem.
>
> Sounds like more than one SetOutputFilter overriding each other.
> See http://httpd.apache.org/docs/2.2/sections.html#mergin
Yes, you are right. Fixing the order makes both mod_proxy_html and
mod_deflate live together in harmony :-)
--
Udo Rader
bestsolution.at EDV Systemhaus GmbH
http://www.bestsolution.at
>
Re: [users@httpd] reverse https to http proxy not fully working
Posted by Nick Kew <ni...@webthing.com>.
On Fri, 22 Feb 2008 15:56:53 +0100
Udo Rader <ud...@bestsolution.at> wrote:
> However, this looks like a mod_proxy_html <=> mod_deflate interaction
> problem.
Sounds like more than one SetOutputFilter overriding each other.
See http://httpd.apache.org/docs/2.2/sections.html#mergin
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] reverse https to http proxy not fully working
Posted by Udo Rader <ud...@bestsolution.at>.
On Thu, 2008-02-21 at 21:30 +0100, Udo Rader wrote:
> Hi,
>
> I have the following setup:
>
> an externally reachable https server with mod_proxy enabled that should
> reverse proxy requests to other servers within the DMZ:
>
> inet ---> https reverse proxy ---> http hosts
>
> Now everything "almost" works, except for some (not all) urls not
> correctly rewritten, most notably stylesheet urls.
>
> When the orginal (internal) url would look like
>
> http://internal.example.com/css/style.css
>
> the reverse proxy converts it into
>
> http://reverseproxy.example.com/css/style.css
>
> instead of the correct
>
> https://reverseproxy.example.com/css/style.css
>
> Unfortunately I don't seem to be able to overcome this problem, so maybe
> someone else has an idea ...
>
> My reverse proxying configuration looks like this:
>
> --------CUT-------
> ProxyPass /someApp/ http://internal.example.com/someApp/
> ProxyHTMLURLMap http://internal.example.com/someApp/ /someApp
>
> <Location /someApp/>
> ProxyPassReverse /
> SetOutputFilter proxy-html
> ProxyHTMLURLMap / /someApp/
> ProxyHTMLURLMap /someApp /someApp
> </Location>
> --------CUT-------
>
> As you see, I've also included mod_proxy_html, but that does not change
> anything.
So in order to solve the riddle myself, the problem was really well
hidden and not due to a the configuration I posted above.
The problem was that I had mod_deflate globally enabled for the https
host (being not only a reverse proxy but also a "regular" webserver as
well), resulting in mod_deflate obviously having some precedence over
mod_proxy_html and that again resulting in mod_proxy_html not converting
anything.
Disabling mod_deflate globally and enabling it only where I really
needed it, solved the problem.
However, this looks like a mod_proxy_html <=> mod_deflate interaction
problem.
--
Udo Rader
bestsolution.at EDV Systemhaus GmbH
http://www.bestsolution.at
>
Re: [users@httpd] reverse https to http proxy not fully working
Posted by Udo Rader <ud...@bestsolution.at>.
Am Donnerstag, den 21.02.2008, 21:10 +0000 schrieb Nick Kew:
> On Thu, 21 Feb 2008 21:30:14 +0100
> Udo Rader <ud...@bestsolution.at> wrote:
>
>
> > My reverse proxying configuration looks like this:
>
> Heh. Missed this in my previous reply.
>
> > --------CUT-------
> > ProxyPass /someApp/ http://internal.example.com/someApp/
>
> With that /someApp/ in the target, you need to *preserve*
> that part of the URL. Your current rules will erase it, to
> work with the more usual case of
> ProxyPass /someApp/ http://internal.example.com/
Hmm, ok, I've first added the trailing slash to be like this:
ProxyHTMLURLMap http://internal.example.com/someApp/ /someApp/
but that did not change anything, and the logs don't show anything, with
logging active like this:
ProxyHTMLLogVerbose On
LogLevel Info
Now you say that I should change my ProxyPass directive, but how would
that work? Internally the application I am trying to proxy is reachable
via /someApp ...
But in order to give it a try, I changed my configuration like this:
ProxyPass /internal/ http://internal.example.com/
<Location /internal/>
ProxyPassReverse /
</Location>
Now still, if I access my https proxy with
https://reverseproxy.example.com/internal/someApp/
I still see this
<link rel="stylesheet" type="text/css"
href="http://reverseproxy.example.com/someApp/css/default.css" />
... thanks :-)
--
B e s t S o l u t i o n . a t EDV Systemhaus GmbH
------------------------------------------------------------------------
udo rader technischer leiter/CTO
------------------------------------------------------------------------
eduard-bodem-gasse 8/3 A-6020 innsbruck phone ++43 512 935834
Re: [users@httpd] reverse https to http proxy not fully working
Posted by Nick Kew <ni...@webthing.com>.
On Thu, 21 Feb 2008 21:30:14 +0100
Udo Rader <ud...@bestsolution.at> wrote:
> My reverse proxying configuration looks like this:
Heh. Missed this in my previous reply.
> --------CUT-------
> ProxyPass /someApp/ http://internal.example.com/someApp/
With that /someApp/ in the target, you need to *preserve*
that part of the URL. Your current rules will erase it, to
work with the more usual case of
ProxyPass /someApp/ http://internal.example.com/
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org