httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Serge Dubrouski" <serge...@gmail.com>
Subject Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions
Date Fri, 29 Sep 2006 16:07:19 GMT
Also take a look at this
http://httpd.apache.org/docs/2.2/mod/mod_ext_filter.html
It can be used for writing an output filter.

On 9/29/06, Serge Dubrouski <sergeyfd@gmail.com> wrote:
> If I'm right about absolute links the best way to fix that is make
> your backend server  to produce relative links only, i.e. without
> server name.
> Other way is writing a special handler that would parse all aoutgoing
> data and strip the name of backend servere from the links. Of course
> it will lead into a huge performance lose.
>
>
> On 9/29/06, Jeff DeFord <jeff.deford@gmail.com> wrote:
> > Hmmm, interesting.  So how do I get around this? I am perplexed to say
> > the least...
> >
> > On 9/29/06, Serge Dubrouski <sergeyfd@gmail.com> wrote:
> > > I've tested kind of your configuration and everything works all right
> > > in mine test environment. So I still think that your real server
> > > (Oracle Application Server) somehow generates absolute (not realive)
> > > links. I'm almost sure in that.
> > >
> > > On 9/29/06, Jeff DeFord <jeff.deford@gmail.com> wrote:
> > > > AFAIK, it is all static content with some jsp pages. No CGI/PHP/Etc...
> > > > The real server is an Oracle application server, so all of the web
> > > > content was derived from the installation process script "AutoConfig".
> > > >
> > > > My confusion is in trying to get the URL's rewritten and proxied that
> > > > go beyond the root level.  I have tried various combinations of
> > > > ProxyPass and ProxyPassReverse statements, Rewrite Rules, etc and so
> > > > far I can only get the root-level HTML to proxy and rewrite.
> > > >
> > > > so the real url
> > > > https://realserver:8050/some_page.html
> > > >
> > > > appears to be
> > > > https://proxyserver/some_page.html
> > > >
> > > > Just as it should.
> > > >
> > > > But mousing over or clicking any url with a directory path beyond "/"
> > > > shows that the URL does not get rewritten or proxied and I have tried
> > > > a myriad of combinations iwth ProxyPass/Reverse and RewriteRule
> > > > directives all to no avail.
> > > >
> > > > Here are the important bits of the httpd.conf file:
> > > >
> > > > <VirtualHost *:80>
> > > >   ServerName proxy_server
> > > >   RewriteEngine   On
> > > >   RewriteLogLevel 9
> > > >   RewriteLog      logs/rewrite_log
> > > >   ## Redirect all incoming HTTP requests to HTTPS locally before proxying.
> > > >   RewriteRule ^/(.*) https://proxy_server/$1 [R,L]
> > > > </VirtualHost>
> > > >
> > > >
> > > > <VirtualHost _default_:443>
> > > >   # General setup for the virtual host
> > > >   ServerName proxy_server
> > > >   SSLEngine on
> > > >   SSLOptions +StrictRequire
> > > >   SSLProtocol -all +TLSv1 +SSLv3
> > > >   SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
> > > >
> > > >   # Server Certificate:
> > > >   SSLCertificateFile conf/ssl.crt/server.crt
> > > >   # Server Private Key:
> > > >   SSLCertificateKeyFile conf/ssl.key/server.key
> > > >   # SSL Protocol Adjustments:
> > > >   SetEnvIf User-Agent ".*MSIE.*" \
> > > >   nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
> > > >   # Per-Server Logging:
> > > >   #CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x
> > > > %{SSL_CIPHER}x \"%r\" %b"
> > > >   CustomLog logs/ssl_request_log common
> > > >
> > > >   RewriteEngine   On
> > > >   RewriteLogLevel 9
> > > >   RewriteLog      logs/rewrite_log
> > > >
> > > >   ProxyRequests     Off
> > > >   SSLProxyEngine    On
> > > >   SSLProxyCACertificateFile conf/cacerts.crt
> > > >   ProxyPreserveHost On
> > > >   ProxyPass              /      https://real_server:8050/
> > > >   ProxyPassReverse  /      https://real_server:8050/
> > > > </VirtualHost>
> > > >
> > > >
> > > > I have tried putting proxy rules in the 443 virtual host
> > > > I have tried putting proxy rules in the IfModule mod_proxy.c section
> > > > I have tried rewrite rules in all kinds of places and all kinds of
> > > > combinations of proxy and rewrite directives...
> > > > But somehow I can't get the combination right.
> > > >
> > > > I want URLs from the real server like this one
> > > > https://real_server:8050/dir1/dir2/jsp/some_page.jsp
> > > >
> > > > to get proxied and appear as if they came from the proxy server
> > > > https://proxy_server/dir1/dir2/jsp/some_page.jsp
> > > >
> > > > I just don't know where to put the rules and if I need both porxy and
> > > > rewrite rules for every possible URL/directory structure combination
> > > > that exists on the real server.
> > > >
> > > > Any help or direction would be greatly appreciated.
> > > >
> > > > -=jeff
> > > >
> > > >
> > > > On 9/28/06, Serge Dubrouski <sergeyfd@gmail.com> wrote:
> > > > > What kind of "real" server do you have on backend? Does it have static
> > > > > content or dynamic? Could it be that your wrong links are generated
on
> > > > > backend by PHP/ASP/CGI or any other dynamic application that uses
> > > > > $SEVER_NAME or some other variable to build absolute links?
> > > > >
> > > > > On 9/28/06, Jeff DeFord <jeff.deford@gmail.com> wrote:
> > > > > > For testing purposes, I'm using a self-signed sert on the proxy
server
> > > > > > for the initial redirection, then the proxy server acts as a
SSL
> > > > > > client for all proxied requests that are handed off to the app
server
> > > > > > which is listening on port 8050 (SSL) using a real certificate.
> > > > > >
> > > > > > I copied the real cert file to the proxy server and put it in
a file
> > > > > > called cacerts.crt and added the directive shown below to the
> > > > > > httpd.conf file:
> > > > > >
> > > > > > SSLProxyCACertificateFile conf/cacerts.crt
> > > > > >
> > > > > > In this configuration, the proxy server can be configured to
be a SSL
> > > > > > client for many sites each having their own cert.
> > > > > >
> > > > > > My problem is getting the proxy server configured so that mod_proxy
> > > > > > and mod_rewrite do their job for the URLs on the app server
that are
> > > > > > below the root level and incorporate multiple levels of directories
in
> > > > > > the URL. It all works great for foor-level URL's.
> > > > > >
> > > > > > I hope I answered your question. Now if someone could help me
answer mine...
> > > > > >
> > > > > > -=jeff
> > > > > >
> > > > > >
> > > > > > On 9/28/06, John king <johnking06@gmail.com> wrote:
> > > > > > > Where is your server cert installed? If it is installed
on the reverse proxy
> > > > > > > server, do you decrypte the incoming HTTPS
> > > > > > > traffic and re-encrypte it again in the proxy server before
sending it to
> > > > > > > the next host?
> > > > > > >
> > > > > > >
> > > > > > > On 9/28/06, Jeff DeFord <jeff.deford@gmail.com> wrote:
> > > > > > > > Not sure if that would work since all requests are
HTTPS...
> > > > > > > > Can you elaborate?
> > > > > > > >
> > > > > > > > Here are the modules I compiled in when I built Apache:
> > > > > > > > # ./httpd -l
> > > > > > > > Compiled in modules:
> > > > > > > >   core.c
> > > > > > > >   mod_access.c
> > > > > > > >   mod_auth.c
> > > > > > > >   mod_log_config.c
> > > > > > > >   mod_headers.c
> > > > > > > >   mod_setenvif.c
> > > > > > > >   mod_proxy.c
> > > > > > > >   proxy_connect.c
> > > > > > > >   proxy_ftp.c
> > > > > > > >   proxy_http.c
> > > > > > > >   mod_ssl.c
> > > > > > > >   prefork.c
> > > > > > > >   http_core.c
> > > > > > > >   mod_mime.c
> > > > > > > >   mod_status.c
> > > > > > > >   mod_dir.c
> > > > > > > >   mod_rewrite.c
> > > > > > > >   mod_so.c
> > > > > > > >
> > > > > > > >
> > > > > > > > On 9/27/06, Jim BAO <JXB6@nrc.gov> wrote:
> > > > > > > > > Did you try HTTP Connect?
> > > > > > > > >
> > > > > > > > > >>> jeff.deford@gmail.com 9/27/2006
10:35 AM >>>
> > > > > > > > > All:
> > > > > > > > >
> > > > > > > > > I have some questions regarding the way to implement
> > > > > > > > > Apache as a reverse proxy server using mod_rewrite
in order to mask the
> > > > > > > > > real
> > > > > > > > > URLs. Users will connect to the proxy, then the
proxy will connect to
> > > > > > > > > the real server that is listening on port 8050
(SSL)
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > So far this is what I have working:
> > > > > > > > >
> > > > > > > > > Proxy server listining on port 80 and on 443
and I am
> > > > > > > > > using a rewrite rule to force a rediect to 443
only as shown below:
> > > > > > > > >
> > > > > > > > >  ## Redirect all incoming HTTP requests to HTTPS
locally before
> > > > > > > > > proxying.
> > > > > > > > >  RewriteRule ^/(.*) https://proxy.server.com/$1
[R,L]
> > > > > > > > >
> > > > > > > > > This works just as expected as my initial http
connection gets forced
> > > > > > > > > to https.
> > > > > > > > >
> > > > > > > > > Then I have the following proxy statements set
up as shown below for
> > > > > > > > > the default SSL virtual host on the proxy server:
> > > > > > > > >
> > > > > > > > >  ProxyRequests     Off
> > > > > > > > >  SSLProxyEngine    On
> > > > > > > > >  SSLProxyCACertificateFile conf/cacerts.crt
> > > > > > > > >  ProxyPreserveHost On
> > > > > > > > >  ProxyPass         / https://real.server.com:8050/
> > > > > > > > >  ProxyPassReverse  / https://real.server.com:8050/
> > > > > > > > >
> > > > > > > > > This all works great for all of the base URLs
on the root level. The
> > > > > > > > > home
> > > > > > > > > page URLs on the real server get rewritten and
appear to have
> > > > > > > > > originated from the proxy server when I mouse
over or
> > > > > > > > > click on a root-level URL.
> > > > > > > > >
> > > > > > > > > However, any URL with a subdirectory below the
root level on the real
> > > > > > > > > server does not get rewritten and the real URL
(the complete URL on
> > > > > > > > > the real server including the port number 8050)
is visible on the
> > > > > > > > > proxied web page.
> > > > > > > > >
> > > > > > > > > Now, how do go I about getting this to work for
all of the URLs with
> > > > > > > > > subdirectories? I have read through the documentation
and I am stuck.
> > > > > > > > >
> > > > > > > > > Do I need rewrite rules for each URL that has
a subdirectly below the
> > > > > > > > > root with a subsequent ProxyPass and ProxyPassReverse
statement?
> > > > > > > > >
> > > > > > > > > Do my rewrite rules need to use the proxy flag
[P]? Or will they work
> > > > > > > > > once written to mimic the root-level rules?
> > > > > > > > >
> > > > > > > > > Many thanks in advance for any help that you
may provide....
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > -=jeff
> > > > > > > > >
> > > > > > > > >
> > > > > > > ---------------------------------------------------------------------
> > > > > > > > > The official User-To-User support forum of the
Apache HTTP Server
> > > > > > > > > Project.
> > > > > > > > > See <URL: http://httpd.apache.org/userslist.html>
for
> > > > > > > more info.
> > > > > > > > > To unsubscribe, e-mail:
> > > > > > > users-unsubscribe@httpd.apache.org
> > > > > > > > >   "   from the digest:
> > > > > > > users-digest-unsubscribe@httpd.apache.org
> > > > > > > > > For additional commands, e-mail: users-help@httpd.apache.org
> > > > > > > > >
> > > > > > > > >
> > > > > > > ---------------------------------------------------------------------
> > > > > > > > > The official User-To-User support forum of the
Apache HTTP Server
> > > > > > > Project.
> > > > > > > > > See <URL: http://httpd.apache.org/userslist.html>
for
> > > > > > > more info.
> > > > > > > > > To unsubscribe, e-mail:
> > > > > > > users-unsubscribe@httpd.apache.org
> > > > > > > > >   "   from the digest:
> > > > > > > users-digest-unsubscribe@httpd.apache.org
> > > > > > > > > For additional commands, e-mail: users-help@httpd.apache.org
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > ---------------------------------------------------------------------
> > > > > > > > The official User-To-User support forum of the Apache
HTTP Server Project.
> > > > > > > > See <URL: http://httpd.apache.org/userslist.html>
for
> > > > > > > more info.
> > > > > > > > To unsubscribe, e-mail:
> > > > > > > users-unsubscribe@httpd.apache.org
> > > > > > > >    "   from the digest:
> > > > > > > users-digest-unsubscribe@httpd.apache.org
> > > > > > > > For additional commands, e-mail: users-help@httpd.apache.org
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > ---------------------------------------------------------------------
> > > > > > The official User-To-User support forum of the Apache HTTP Server
Project.
> > > > > > See <URL:http://httpd.apache.org/userslist.html> for more
info.
> > > > > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > > > >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > > > > > For additional commands, e-mail: users-help@httpd.apache.org
> > > > > >
> > > > > >
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > The official User-To-User support forum of the Apache HTTP Server
Project.
> > > > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > > >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > > > > For additional commands, e-mail: users-help@httpd.apache.org
> > > > >
> > > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > The official User-To-User support forum of the Apache HTTP Server Project.
> > > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > > > For additional commands, e-mail: users-help@httpd.apache.org
> > > >
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message