You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Michelle Konzack <li...@tamay-dogan.net> on 2010/10/07 07:51:44 UTC
[users@httpd] Problem with ProxyPass
Good morning,
I have to use a singel backup IP on a VHDSL and redirect the whole :80
traffic to a DMZ where I want to use "apache2" as proxy to redirect
traffic to some internal servers.
I tried to use
----[ '/etc/apache2/conf.d/apache_proxy' ]------------------------------
NameVirtualHost 192.168.0.69:80
<VirtualHost 192.168.0.69:80>
ServerName www.tdipmedia.net
ProxyPass / http://192.168.0.208:80/
ProxyPassReverse / http://192.168.0.208:80/
<Directory proxy:http://192.168.0.208:80/*>
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
------------------------------------------------------------------------
but the redirection to the IP 192.168.0.208 does not work.
What I am missing here?
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4michelle@jabber.ccc.de
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Re: [users@httpd] Re: Problem with ProxyPass
Posted by Tom Evans <te...@googlemail.com>.
On Thu, Oct 7, 2010 at 1:27 PM, Michelle Konzack
<li...@tamay-dogan.net> wrote:
> Hello Tom Evans,
>
> Am 2010-10-07 10:55:59, hacktest Du folgendes herunter:
>> On Thu, Oct 7, 2010 at 6:51 AM, Michelle Konzack
>> <li...@tamay-dogan.net> wrote:
>> > ----[ '/etc/apache2/conf.d/apache_proxy' ]------------------------------
>> > NameVirtualHost 192.168.0.69:80
>> >
>> > <VirtualHost 192.168.0.69:80>
>> > ServerName www.tdipmedia.net
>> > ProxyPass / http://192.168.0.208:80/
>> > ProxyPassReverse / http://192.168.0.208:80/
>> > <Directory proxy:http://192.168.0.208:80/*>
>> > Order deny,allow
>> > Allow from all
>> > </Directory>
>> > </VirtualHost>
>> > ------------------------------------------------------------------------
>> Your config doesn't look right to me:
>
> Hmmm, since my three pootle instances where confliction with Apache, I
> have setup last year the following config which is working:
>
> ----[ '/VServer_10/APACHE_available/pootle.tdwave.net' ]----------------
> <VirtualHost 192.168.0.69:80>
> ServerAdmin linux4michelle@tamay-dogan.net
> ServerName pootle.tdwave.net
>
> ProxyPass /images !
> ProxyPass /js !
> ProxyPass /pootle.css !
> ProxyPass /favicon.ico !
> ProxyPass / http://localhost:8888/
> ProxyPassReverse / http://localhost:8888/
> <Directory proxy:http://localhost:8888/*>
> Order deny,allow
> Allow from all
> </Directory>
>
> DocumentRoot /usr/share/pootle/html/
> <Directory /usr/share/pootle/html/>
> Order deny,allow
> Allow from all
> </Directory>
>
> <Directory />
> Options FollowSymLinks Indexes
> AllowOverride None
> Order deny,allow
> Allow from all
> </Directory>
>
> # debug, info, notice, warn, error, crit, alert, emerg.
> LogLevel warn
> ErrorLog /VServer_10/CONFIG_pootle.tdwave.net/log/apache/error.log
>
> LogFormat "%{[%Y-%m-%d %H:%M:%S %z]}t %h [%V] %l %u \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost
> CustomLog /VServer_10/CONFIG_pootle.tdwave.net/log/apache/access.log vhost
>
> ServerSignature On
> </VirtualHost>
> ------------------------------------------------------------------------
>
> and now modified it. the only difference is, that the newServer is NOT
> on <localhost> but on IP <192.168.0.208>
>
>> NameVirtualHost 192.168.0.69:80
>>
>> This says 'When a request comes in on the socket listening on IP
>> 192.168.0.69, port 80, use the Host header from the request to infer
>> the virtualhost to use'.
>
> Right
>
>> <VirtualHost 192.168.0.69:80>
>> ServerName www.tdipmedia.net
>>
>> </VirtualHost>
>>
>> This says: 'When a request comes in on 192.168.0.69:80, with Host
>> header 'www.tdipmedia.net', use this virtualhost to serve the request'
>
> Right too.
>
>> ProxyPass / http://192.168.0.208:80/
>> ProxyPassReverse / http://192.168.0.208:80/
>>
>> This says: 'Proxy / to the website on http://192.168.0.208:80/'
>
> Right too.
>
>> <Directory proxy:http://192.168.0.208:80/*>
>> Order deny,allow
>> Allow from all
>> </Directory>
>>
>> This is nonsense. A <Directory> refers to a disk location, nothing
>> else. If you wish to restrict who can access a reverse proxy, use a
>> <Proxy> directive or a <Location> directive.
>
> Hmmm...
>
>> Well, you haven't specified anything in your config that would result
>> in a redirect, you have configured a proxy. Apart from that...
>>
>> So there are a couple of things you can check.
>>
>> 1) When you connect to the webserver, are you connecting to 192.168.0.69:80 ?
>
> Yes, and I get:
>
> ----[ command 'wget -S -O /dev/null http://www.tdipmedia.net/' ]--------
>
> --2010-10-07 14:26:26-- http://www.tdipmedia.net/
> Resolving www.tdipmedia.net... 88.168.69.36
> Connecting to www.tdipmedia.net|88.168.69.36|:80... connected.
> HTTP request sent, awaiting response...
> HTTP/1.1 403 Forbidden
> Date: Thu, 07 Oct 2010 12:26:26 GMT
> Content-Length: 390
> Keep-Alive: timeout=15, max=100
> Connection: Keep-Alive
> Content-Type: text/html; charset=iso-8859-1
> 2010-10-07 14:26:26 ERROR 403: Forbidden.
>
> ------------------------------------------------------------------------
>
> <88.168.69.36> is my fixed PUBLIC IP address and all :80 traffic is
> redirected to my DMZ on <192.168.0.69> and some of the servers should be
> proxyied to Servers behind it like the <192.168.0.208>.
>
>> 2) What Host header are you sending to the server? Typically a browser
>> will send the host portion of the URL you type in the address bar -
>> does that match 'www.tdipmedia.net'?
>> 3) Where are your logs? What 'does not work' - explain what you've
>> tried, what the server does when you try that, and what error/info
>> messages are printed in the access and error logs.
>
> [Thu Oct 07 14:16:45 2010] [error] [client 192.168.0.65] client denied by server configuration: proxy:http://192.168.0.208:80/
>
> Thanks, Greetings and nice Day/Evening
> Michelle Konzack
>
> --
Can you spot the difference, or shall I point it out? :)
In your working vhost, you have specified a documentroot, and have
granted access to it. In your non working vhost, you haven't done
either, and your <Directory> block doesn't ever get applied, thus
requests are denied.
Either replace your <Directory> block with an appropriate <Location>
block, or give your vhost an empty document root, and change your
Directory block to point at that (/var/empty is where I usually use).
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Problem with ProxyPass
Posted by Tom Evans <te...@googlemail.com>.
2010/10/8 Igor Galić <i....@brainsware.org>:
> ----- Tom Evans <te...@googlemail.com> wrote:
>> If you did not also add a NameVirtualHost for *:80, then that is to be
>> expected. If you don't do any IP/port based virtual hosting, then it
>> is usually easiest to do:
>>
>> NameVirtualHost *
>>
>> <VirtualHost *>
>
> that's ambigous. a better practice is to use *:80 (when Listen-ing on port 80)
>
(I call FUD)
What is ambiguous about it? Is it open to more than one
interpretation? What is better about using *:80, in your opinion
(since you seem to have one about it)?
It's two less characters to type, and means that however I configure
the Listen directives, or how I connect to the server, my list of
configured vhosts is applied correctly.
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Problem with ProxyPass
Posted by Igor Galić <i....@brainsware.org>.
----- Tom Evans <te...@googlemail.com> wrote:
> On Thu, Oct 7, 2010 at 2:23 PM, Michelle Konzack
> <li...@tamay-dogan.net> wrote:
> > Forgotten one hing:
> >
> > If I change the
> > <VirtualHost 192.168.0.69:80>
> > to
> > <VirtualHost *:80>
> > I get
what does apachectl -S say?
> ><snip>
> >
> > which mean, it has hit the DEFAULT VHost and never arrived at the config
> > of <www.tdipmedia.net> which mean, the <VirtualHost 192.168.0.69:80> is
> > required.
> >
> > Thanks, Greetings and nice Day/Evening
> > Michelle Konzack
> >
>
> If you did not also add a NameVirtualHost for *:80, then that is to be
> expected. If you don't do any IP/port based virtual hosting, then it
> is usually easiest to do:
>
> NameVirtualHost *
>
> <VirtualHost *>
that's ambigous. a better practice is to use *:80 (when Listen-ing on port 80)
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Problem with ProxyPass
Posted by Tom Evans <te...@googlemail.com>.
On Thu, Oct 7, 2010 at 2:23 PM, Michelle Konzack
<li...@tamay-dogan.net> wrote:
> Forgotten one hing:
>
> If I change the
> <VirtualHost 192.168.0.69:80>
> to
> <VirtualHost *:80>
> I get
>
><snip>
>
> which mean, it has hit the DEFAULT VHost and never arrived at the config
> of <www.tdipmedia.net> which mean, the <VirtualHost 192.168.0.69:80> is
> required.
>
> Thanks, Greetings and nice Day/Evening
> Michelle Konzack
>
If you did not also add a NameVirtualHost for *:80, then that is to be
expected. If you don't do any IP/port based virtual hosting, then it
is usually easiest to do:
NameVirtualHost *
<VirtualHost *>
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Problem with ProxyPass
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Forgotten one hing:
If I change the
<VirtualHost 192.168.0.69:80>
to
<VirtualHost *:80>
I get
----[ command 'wget -S -O /dev/null http://www.tdipmedia.net/ 2>&1' ]---
--2010-10-07 15:20:26-- http://www.tdipmedia.net/
Resolving www.tdipmedia.net... 88.168.69.36
Connecting to www.tdipmedia.net|88.168.69.36|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 302 Found
Date: Thu, 07 Oct 2010 13:20:26 GMT
Server: Apache/2.2.3 (Debian) Embperl/2.2.0 DAV/2 PHP/5.2.0-8+etch16 mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch16
Location: /?what=index
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Location: /?what=index [following]
--2010-10-07 15:20:27-- http://www.tdipmedia.net/?what=index
Reusing existing connection to www.tdipmedia.net:80.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2010 13:20:27 GMT
Server: Apache/2.2.3 (Debian) Embperl/2.2.0 DAV/2 PHP/5.2.0-8+etch16 mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch16
Connection: close
Content-Type: text/html; charset=UTF-8
Length: unspecified [text/html]
Saving to: `/dev/null'
0K ...... 241K=0.03s
2010-10-07 15:20:27 (241 KB/s) - `/dev/null' saved [6343]
------------------------------------------------------------------------
which mean, it has hit the DEFAULT VHost and never arrived at the config
of <www.tdipmedia.net> which mean, the <VirtualHost 192.168.0.69:80> is
required.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4michelle@jabber.ccc.de
ICQ #328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
[users@httpd] Re: Problem with ProxyPass
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Hello Tom Evans,
Am 2010-10-07 10:55:59, hacktest Du folgendes herunter:
> On Thu, Oct 7, 2010 at 6:51 AM, Michelle Konzack
> <li...@tamay-dogan.net> wrote:
> > ----[ '/etc/apache2/conf.d/apache_proxy' ]------------------------------
> > NameVirtualHost 192.168.0.69:80
> >
> > <VirtualHost 192.168.0.69:80>
> > ServerName www.tdipmedia.net
> > ProxyPass / http://192.168.0.208:80/
> > ProxyPassReverse / http://192.168.0.208:80/
> > <Directory proxy:http://192.168.0.208:80/*>
> > Order deny,allow
> > Allow from all
> > </Directory>
> > </VirtualHost>
> > ------------------------------------------------------------------------
> Your config doesn't look right to me:
Hmmm, since my three pootle instances where confliction with Apache, I
have setup last year the following config which is working:
----[ '/VServer_10/APACHE_available/pootle.tdwave.net' ]----------------
<VirtualHost 192.168.0.69:80>
ServerAdmin linux4michelle@tamay-dogan.net
ServerName pootle.tdwave.net
ProxyPass /images !
ProxyPass /js !
ProxyPass /pootle.css !
ProxyPass /favicon.ico !
ProxyPass / http://localhost:8888/
ProxyPassReverse / http://localhost:8888/
<Directory proxy:http://localhost:8888/*>
Order deny,allow
Allow from all
</Directory>
DocumentRoot /usr/share/pootle/html/
<Directory /usr/share/pootle/html/>
Order deny,allow
Allow from all
</Directory>
<Directory />
Options FollowSymLinks Indexes
AllowOverride None
Order deny,allow
Allow from all
</Directory>
# debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn
ErrorLog /VServer_10/CONFIG_pootle.tdwave.net/log/apache/error.log
LogFormat "%{[%Y-%m-%d %H:%M:%S %z]}t %h [%V] %l %u \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost
CustomLog /VServer_10/CONFIG_pootle.tdwave.net/log/apache/access.log vhost
ServerSignature On
</VirtualHost>
------------------------------------------------------------------------
and now modified it. the only difference is, that the newServer is NOT
on <localhost> but on IP <192.168.0.208>
> NameVirtualHost 192.168.0.69:80
>
> This says 'When a request comes in on the socket listening on IP
> 192.168.0.69, port 80, use the Host header from the request to infer
> the virtualhost to use'.
Right
> <VirtualHost 192.168.0.69:80>
> ServerName www.tdipmedia.net
>
> </VirtualHost>
>
> This says: 'When a request comes in on 192.168.0.69:80, with Host
> header 'www.tdipmedia.net', use this virtualhost to serve the request'
Right too.
> ProxyPass / http://192.168.0.208:80/
> ProxyPassReverse / http://192.168.0.208:80/
>
> This says: 'Proxy / to the website on http://192.168.0.208:80/'
Right too.
> <Directory proxy:http://192.168.0.208:80/*>
> Order deny,allow
> Allow from all
> </Directory>
>
> This is nonsense. A <Directory> refers to a disk location, nothing
> else. If you wish to restrict who can access a reverse proxy, use a
> <Proxy> directive or a <Location> directive.
Hmmm...
> Well, you haven't specified anything in your config that would result
> in a redirect, you have configured a proxy. Apart from that...
>
> So there are a couple of things you can check.
>
> 1) When you connect to the webserver, are you connecting to 192.168.0.69:80 ?
Yes, and I get:
----[ command 'wget -S -O /dev/null http://www.tdipmedia.net/' ]--------
--2010-10-07 14:26:26-- http://www.tdipmedia.net/
Resolving www.tdipmedia.net... 88.168.69.36
Connecting to www.tdipmedia.net|88.168.69.36|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 403 Forbidden
Date: Thu, 07 Oct 2010 12:26:26 GMT
Content-Length: 390
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
2010-10-07 14:26:26 ERROR 403: Forbidden.
------------------------------------------------------------------------
<88.168.69.36> is my fixed PUBLIC IP address and all :80 traffic is
redirected to my DMZ on <192.168.0.69> and some of the servers should be
proxyied to Servers behind it like the <192.168.0.208>.
> 2) What Host header are you sending to the server? Typically a browser
> will send the host portion of the URL you type in the address bar -
> does that match 'www.tdipmedia.net'?
> 3) Where are your logs? What 'does not work' - explain what you've
> tried, what the server does when you try that, and what error/info
> messages are printed in the access and error logs.
[Thu Oct 07 14:16:45 2010] [error] [client 192.168.0.65] client denied by server configuration: proxy:http://192.168.0.208:80/
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4michelle@jabber.ccc.de
ICQ #328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Re: [users@httpd] Problem with ProxyPass
Posted by Tom Evans <te...@googlemail.com>.
On Thu, Oct 7, 2010 at 6:51 AM, Michelle Konzack
<li...@tamay-dogan.net> wrote:
> Good morning,
>
> I have to use a singel backup IP on a VHDSL and redirect the whole :80
> traffic to a DMZ where I want to use "apache2" as proxy to redirect
> traffic to some internal servers.
>
> I tried to use
>
> ----[ '/etc/apache2/conf.d/apache_proxy' ]------------------------------
> NameVirtualHost 192.168.0.69:80
>
> <VirtualHost 192.168.0.69:80>
> ServerName www.tdipmedia.net
> ProxyPass / http://192.168.0.208:80/
> ProxyPassReverse / http://192.168.0.208:80/
> <Directory proxy:http://192.168.0.208:80/*>
> Order deny,allow
> Allow from all
> </Directory>
> </VirtualHost>
> ------------------------------------------------------------------------
>
Your config doesn't look right to me:
NameVirtualHost 192.168.0.69:80
This says 'When a request comes in on the socket listening on IP
192.168.0.69, port 80, use the Host header from the request to infer
the virtualhost to use'.
<VirtualHost 192.168.0.69:80>
ServerName www.tdipmedia.net
</VirtualHost>
This says: 'When a request comes in on 192.168.0.69:80, with Host
header 'www.tdipmedia.net', use this virtualhost to serve the request'
ProxyPass / http://192.168.0.208:80/
ProxyPassReverse / http://192.168.0.208:80/
This says: 'Proxy / to the website on http://192.168.0.208:80/'
<Directory proxy:http://192.168.0.208:80/*>
Order deny,allow
Allow from all
</Directory>
This is nonsense. A <Directory> refers to a disk location, nothing
else. If you wish to restrict who can access a reverse proxy, use a
<Proxy> directive or a <Location> directive.
> but the redirection to the IP 192.168.0.208 does not work.
>
> What I am missing here?
>
> Thanks, Greetings and nice Day/Evening
> Michelle Konzack
>
Well, you haven't specified anything in your config that would result
in a redirect, you have configured a proxy. Apart from that...
So there are a couple of things you can check.
1) When you connect to the webserver, are you connecting to 192.168.0.69:80 ?
2) What Host header are you sending to the server? Typically a browser
will send the host portion of the URL you type in the address bar -
does that match 'www.tdipmedia.net'?
3) Where are your logs? What 'does not work' - explain what you've
tried, what the server does when you try that, and what error/info
messages are printed in the access and error logs.
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org