You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Franklin Weng <fr...@goodhorse.idv.tw.INVALID> on 2020/04/13 11:53:56 UTC

[users@httpd] Strange behavior for reverse proxy

Hi,

I meet a strange problem.

The website architecture is:

Internet -- (Proxy server with public and private ip)  -- (backend server)

Proxy server and backend server are both running Debian buster with apache
2.4.38-3+deb10u3

In the proxy server settings, proxy and proxy_http modules have been
enabled, and here I have two example virtual server config:

conf.la.conf in proxy server apache:
https://pastebin.com/BFxzpnjN

http://conf.libreoffice.asia will be redirected to
https://conf.libreoffice.asia, which will get from *http*://
intern-conf.libreoffice.asia/ via reverse proxy
Notice in the backend part only http is used, SSL module is disabled.

The ip of intern-conf.libreoffice.asia is a private ip which is defined in
/etc/hosts of the proxy server:
https://pastebin.com/gpfsnJ34

This setting works perfectly.

However another virtual server setting uses almost the same way, but the
behavior is different:

limesurvey.conf in proxy server apache:
https://pastebin.com/PXs5mbiA

http://limesurvey.slat.org will be redirected to https://limesurvey.slat.org,
which should get from *http*://limesurvey57.slat.org via reverse proxy
where the ip of limesurvey57.slat.org is also defined in /etc/hosts of
proxy server like above.

But, the real behavior becomes that it will try to find *https*://
limesurvey57.slat.org and got connection refused.

I used wget -o- https://limesurvey.slat.org and found that it returns a 302
to https://limesurvey57.slat.org

$ LANG=C wget -o- https://limesurvey.slat.org
--2020-04-13 19:49:04--  https://limesurvey.slat.org/
Resolving limesurvey.slat.org (limesurvey.slat.org)... 122.116.230.54
Connecting to limesurvey.slat.org (limesurvey.slat.org)|122.116.230.54|:443...
connected.

*HTTP request sent, awaiting response... 302 Found Location:
https://limesurvey57.slat.org/ <https://limesurvey57.slat.org/> [following]
*
--2020-04-13 19:49:04--  https://limesurvey57.slat.org/
Resolving limesurvey57.slat.org (limesurvey57.slat.org)... 192.168.xxx.57
Connecting to limesurvey57.slat.org
(limesurvey57.slat.org)|192.168.xxx.57|:443...
failed: Connection ref
used.

The backend apache virtual config is quite simple:
conf.la.conf:
https://pastebin.com/J8R9tVb9

limesurvey.conf:
https://pastebin.com/igR33iz2

conf.libreoffice.asia works perfectly but limesurvey.slat.org doesn't.  I
don't know why the reverse proxy behaviors are different.

Would anyone please give me some hints?


Thanks, Franklin

Re: [users@httpd] Strange behavior for reverse proxy

Posted by Franklin Weng <fr...@goodhorse.idv.tw.INVALID>.

Hi Eric,

Thanks.  I've solved this problem.  It is indeed caused by limesurvey's
settings.  Following its way didn't solve the redirect behavior but I
reinstalled it solved this issue.
Thanks for your help.

Franklin

Eric Covener <co...@gmail.com> 於 2020年4月13日 週一 下午8:07寫道：

> > Would anyone please give me some hints?
>
> I suspect the app itself is redirecting to SSL, so even fixing the
> redirect by adding a 2nd ProxyPassReverse (https) is likely to just
> loop:
>
>     ProxyPassReverse "/" "https://limesurvey57.slat.org/"
>
> I think you will have to somehow get the app to accept e.g.
> X-Forwarded-Proto or something like that, or just disable whatever SSL
> redirect it does.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

-- 
Franklin Weng
中華民國軟體自由協會常務理事
LibreOffice 導入專家
LibreOffice 法人代表文件基金會董事會副主席、認證委員會委員

Re: [users@httpd] Strange behavior for reverse proxy

Posted by Eric Covener <co...@gmail.com>.

> Would anyone please give me some hints?

I suspect the app itself is redirecting to SSL, so even fixing the
redirect by adding a 2nd ProxyPassReverse (https) is likely to just
loop:

    ProxyPassReverse "/" "https://limesurvey57.slat.org/"

I think you will have to somehow get the app to accept e.g.
X-Forwarded-Proto or something like that, or just disable whatever SSL
redirect it does.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org