You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by enigma <e_...@yahoo.com> on 2006/06/12 22:53:42 UTC
[users@httpd] self-referential URL's and load balancer
I have a problem with the self-referential URL's being generated by Apache
when a hardware load balancer is front ending it.
The load balancer listens on port 443, decrypts SSL and forwards standard
http to Apache on port 13443 on the culster machines. The problem I
encounter is when Apache generates self-referential URL's for mod_dir
trailing slash redirects and mod_rewrite redirects, it is sending the
protocol as http and the port as 13443. So for instance, the brower
requests:
https://www.example.com/test
The redirect returned by Apache is:
http://www.example.com:13443/test/
which is invalid on the load balancer and no longer SSL.
I want it to be:
https://www.example.com/test/
I have tried setting UseCanonicalName Off without success. I can remap the
port with the port directive, but it still changes the https to http.
Any suggestions??
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] self-referential URL's and load balancer
Posted by Joshua Slive <jo...@slive.ca>.
On 6/12/06, enigma <e_...@yahoo.com> wrote:
>
> I have a problem with the self-referential URL's being generated by Apache
> when a hardware load balancer is front ending it.
>
> The load balancer listens on port 443, decrypts SSL and forwards standard
> http to Apache on port 13443 on the culster machines. The problem I
> encounter is when Apache generates self-referential URL's for mod_dir
> trailing slash redirects and mod_rewrite redirects, it is sending the
> protocol as http and the port as 13443. So for instance, the brower
> requests:
>
> https://www.example.com/test
>
> The redirect returned by Apache is:
>
> http://www.example.com:13443/test/
>
> which is invalid on the load balancer and no longer SSL.
>
> I want it to be:
>
> https://www.example.com/test/
>
> I have tried setting UseCanonicalName Off without success. I can remap the
> port with the port directive, but it still changes the https to http.
>
> Any suggestions??
We had an almost identical question two days ago (see below).
Unfortunately, I don't believe there is any way to fix this completely
from the apache side short of using the unreleased svn-head version of
apache which allows the scheme to be specified with the ServerName
directive.
On 6/11/06, Damian Birchler <da...@r-film.ch> wrote:
> Hi all
>
> I have got Squid installed as an httpd accelerator for httpd. Squid will
> not allow requests to internal.example.com other than per SSL/TLS. Squid
> itself talks to httpd in plain text. Now, when httpd generates automatic
> redirects -- what I mean by this, is for example redirecting /foo to /foo/
> -- it tells the client to try HTTP://internal.example.com/foo/ which is
> then blocked by Squid.
>
> So, my question: Is it somehow possible to customize automatic redirects,
> for instance by telling httpd to use only relative paths?
Relative paths are not legal in redirects. Squid probably has the
capability to rewrite these headers itself (as apache's mod_proxy can
do with the ProxyPassReverse directive). Otherwise, you can tell
apache to lie about its true hostname using the ServerName and
UseCanonicalName directives. But you will still have a problem with
the scheme. The latest development version of apache allows you to
configure ServerName to lie about the scheme, but I don't think any
released version can do that.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] self-referential URL's and load balancer
Posted by Sander Temme <sc...@apache.org>.
Hi enigma,
On Jun 12, 2006, at 1:53 PM, enigma wrote:
>
> I have a problem with the self-referential URL's being generated by
> Apache
> when a hardware load balancer is front ending it.
This is a well-known problem with load balancing and SSL offload in
front of any web server. The httpd simply doesn't know that HTTPS
exists in front of it, and can not generate the correct Location:
headers for Redirect responses.
Some load balancers have built-in fixups for outgoing response
headers. You can use those to repair the Location: headers as they
are sent to the browser. See your load balancer documentation,
support community or your favorite SE to set this up.
Which version of Apache are you using on which platform? The trunk of
Apache now has support for setting the scheme in the ServerName
directive, so you can go
ServerName https://myserver.foo.com
with optional port. You can see the code at:
http://svn.apache.org/viewvc?view=rev&revision=399947
That should go a long way towards fixing your issue, especially if
everything you do happens inside the web server. And, any module that
plays nice and calls the http_scheme hook should get the correct
information.
I have proposed to backport this to Apache 2.2, and a version of the
patch that applies to the 2.2.x branch is at:
http://people.apache.org/~sctemme/servername_22x.patch
Unfortunately, httpd 1.3 hardcodes this scheme information so this
approach will not work. the EAPI patch at least makes it settable,
but you only have that if you have mod_ssl.
> https://www.example.com/test/
>
> I have tried setting UseCanonicalName Off without success. I can
> remap the
> port with the port directive, but it still changes the https to http.
UseCanonicalName Off should help with the port value, but not the
scheme.
You mention the Port directive, which disappeared in httpd 2.0 so
that means you're using 1.3. As I said, the ServerName [scheme://]
hostname[:port] code does not work with that version, so unless you
can upgrade you'll have to fix this on the Load Balancer.
S.
--
sander@temme.net http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
--
sctemme@apache.org http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF