Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 46557 invoked from network); 29 Sep 2006 15:06:04 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 29 Sep 2006 15:06:04 -0000 Received: (qmail 78685 invoked by uid 500); 29 Sep 2006 15:05:54 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 78670 invoked by uid 500); 29 Sep 2006 15:05:54 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 78659 invoked by uid 99); 29 Sep 2006 15:05:54 -0000 Received: from idunn.apache.osuosl.org (HELO idunn.apache.osuosl.org) (140.211.166.84) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 29 Sep 2006 08:05:54 -0700 Authentication-Results: idunn.apache.osuosl.org header.from=sergeyfd@gmail.com; domainkeys=good X-ASF-Spam-Status: No, hits=0.8 required=5.0 tests=DNS_FROM_RFC_ABUSE,MAILTO_TO_SPAM_ADDR DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 Received: from [64.233.166.182] ([64.233.166.182:32050] helo=py-out-1112.google.com) by idunn.apache.osuosl.org (ecelerity 2.1.1.8 r(12930)) with ESMTP id 4D/06-13110-F463D154 for ; Fri, 29 Sep 2006 08:05:51 -0700 Received: by py-out-1112.google.com with SMTP id 39so1023717pyu for ; Fri, 29 Sep 2006 08:05:49 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=OnUnKTSJzgs3hqYkYJxN9XaIAl6F93ciU33qXu+63xJs7OyqOExKsZ20HS6PmUn0H+weciIReMwP5Kn4BqTNY9SyR6FqZbCO0JYKLuM9kgtDfl0J8c7xX0uk/NITXq8830PoN8ynihOCrmd+tJY66HOTBDK91gfz3FESAnGBHLM= Received: by 10.35.78.13 with SMTP id f13mr910390pyl; Fri, 29 Sep 2006 08:05:48 -0700 (PDT) Received: by 10.35.111.6 with HTTP; Fri, 29 Sep 2006 08:05:48 -0700 (PDT) Message-ID: <868cbbaa0609290805m5b99e009ya50be994c1ee1f8c@mail.gmail.com> Date: Fri, 29 Sep 2006 09:05:48 -0600 From: "Serge Dubrouski" To: users@httpd.apache.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <53e25c990609281414s5bd2ee4dt7c56517afa8e1e16@mail.gmail.com> <868cbbaa0609281441t6c450250i84c84bd6865ca1bb@mail.gmail.com> Subject: Re: [users@httpd] Apache 2 mod_proxy & mod_rewrite questions X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Honestly I'm not really familiar with ProxyPass and ProxyPassReverse. I would do following: RewriteRule ^/(.*)$ https://real_server:8050/$1 [P,L] Try to put that instead of your ProxyPass and ProxyPassReverse. That should do the trick. On 9/29/06, Jeff DeFord wrote: > AFAIK, it is all static content with some jsp pages. No CGI/PHP/Etc... > The real server is an Oracle application server, so all of the web > content was derived from the installation process script "AutoConfig". > > My confusion is in trying to get the URL's rewritten and proxied that > go beyond the root level. I have tried various combinations of > ProxyPass and ProxyPassReverse statements, Rewrite Rules, etc and so > far I can only get the root-level HTML to proxy and rewrite. > > so the real url > https://realserver:8050/some_page.html > > appears to be > https://proxyserver/some_page.html > > Just as it should. > > But mousing over or clicking any url with a directory path beyond "/" > shows that the URL does not get rewritten or proxied and I have tried > a myriad of combinations iwth ProxyPass/Reverse and RewriteRule > directives all to no avail. > > Here are the important bits of the httpd.conf file: > > > ServerName proxy_server > RewriteEngine On > RewriteLogLevel 9 > RewriteLog logs/rewrite_log > ## Redirect all incoming HTTP requests to HTTPS locally before proxying. > RewriteRule ^/(.*) https://proxy_server/$1 [R,L] > > > > > # General setup for the virtual host > ServerName proxy_server > SSLEngine on > SSLOptions +StrictRequire > SSLProtocol -all +TLSv1 +SSLv3 > SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM > > # Server Certificate: > SSLCertificateFile conf/ssl.crt/server.crt > # Server Private Key: > SSLCertificateKeyFile conf/ssl.key/server.key > # SSL Protocol Adjustments: > SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 > # Per-Server Logging: > #CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x > %{SSL_CIPHER}x \"%r\" %b" > CustomLog logs/ssl_request_log common > > RewriteEngine On > RewriteLogLevel 9 > RewriteLog logs/rewrite_log > > ProxyRequests Off > SSLProxyEngine On > SSLProxyCACertificateFile conf/cacerts.crt > ProxyPreserveHost On > ProxyPass / https://real_server:8050/ > ProxyPassReverse / https://real_server:8050/ > > > > I have tried putting proxy rules in the 443 virtual host > I have tried putting proxy rules in the IfModule mod_proxy.c section > I have tried rewrite rules in all kinds of places and all kinds of > combinations of proxy and rewrite directives... > But somehow I can't get the combination right. > > I want URLs from the real server like this one > https://real_server:8050/dir1/dir2/jsp/some_page.jsp > > to get proxied and appear as if they came from the proxy server > https://proxy_server/dir1/dir2/jsp/some_page.jsp > > I just don't know where to put the rules and if I need both porxy and > rewrite rules for every possible URL/directory structure combination > that exists on the real server. > > Any help or direction would be greatly appreciated. > > -=jeff > > > On 9/28/06, Serge Dubrouski wrote: > > What kind of "real" server do you have on backend? Does it have static > > content or dynamic? Could it be that your wrong links are generated on > > backend by PHP/ASP/CGI or any other dynamic application that uses > > $SEVER_NAME or some other variable to build absolute links? > > > > On 9/28/06, Jeff DeFord wrote: > > > For testing purposes, I'm using a self-signed sert on the proxy server > > > for the initial redirection, then the proxy server acts as a SSL > > > client for all proxied requests that are handed off to the app server > > > which is listening on port 8050 (SSL) using a real certificate. > > > > > > I copied the real cert file to the proxy server and put it in a file > > > called cacerts.crt and added the directive shown below to the > > > httpd.conf file: > > > > > > SSLProxyCACertificateFile conf/cacerts.crt > > > > > > In this configuration, the proxy server can be configured to be a SSL > > > client for many sites each having their own cert. > > > > > > My problem is getting the proxy server configured so that mod_proxy > > > and mod_rewrite do their job for the URLs on the app server that are > > > below the root level and incorporate multiple levels of directories in > > > the URL. It all works great for foor-level URL's. > > > > > > I hope I answered your question. Now if someone could help me answer mine... > > > > > > -=jeff > > > > > > > > > On 9/28/06, John king wrote: > > > > Where is your server cert installed? If it is installed on the reverse proxy > > > > server, do you decrypte the incoming HTTPS > > > > traffic and re-encrypte it again in the proxy server before sending it to > > > > the next host? > > > > > > > > > > > > On 9/28/06, Jeff DeFord wrote: > > > > > Not sure if that would work since all requests are HTTPS... > > > > > Can you elaborate? > > > > > > > > > > Here are the modules I compiled in when I built Apache: > > > > > # ./httpd -l > > > > > Compiled in modules: > > > > > core.c > > > > > mod_access.c > > > > > mod_auth.c > > > > > mod_log_config.c > > > > > mod_headers.c > > > > > mod_setenvif.c > > > > > mod_proxy.c > > > > > proxy_connect.c > > > > > proxy_ftp.c > > > > > proxy_http.c > > > > > mod_ssl.c > > > > > prefork.c > > > > > http_core.c > > > > > mod_mime.c > > > > > mod_status.c > > > > > mod_dir.c > > > > > mod_rewrite.c > > > > > mod_so.c > > > > > > > > > > > > > > > On 9/27/06, Jim BAO wrote: > > > > > > Did you try HTTP Connect? > > > > > > > > > > > > >>> jeff.deford@gmail.com 9/27/2006 10:35 AM >>> > > > > > > All: > > > > > > > > > > > > I have some questions regarding the way to implement > > > > > > Apache as a reverse proxy server using mod_rewrite in order to mask the > > > > > > real > > > > > > URLs. Users will connect to the proxy, then the proxy will connect to > > > > > > the real server that is listening on port 8050 (SSL) > > > > > > > > > > > > > > > > > > So far this is what I have working: > > > > > > > > > > > > Proxy server listining on port 80 and on 443 and I am > > > > > > using a rewrite rule to force a rediect to 443 only as shown below: > > > > > > > > > > > > ## Redirect all incoming HTTP requests to HTTPS locally before > > > > > > proxying. > > > > > > RewriteRule ^/(.*) https://proxy.server.com/$1 [R,L] > > > > > > > > > > > > This works just as expected as my initial http connection gets forced > > > > > > to https. > > > > > > > > > > > > Then I have the following proxy statements set up as shown below for > > > > > > the default SSL virtual host on the proxy server: > > > > > > > > > > > > ProxyRequests Off > > > > > > SSLProxyEngine On > > > > > > SSLProxyCACertificateFile conf/cacerts.crt > > > > > > ProxyPreserveHost On > > > > > > ProxyPass / https://real.server.com:8050/ > > > > > > ProxyPassReverse / https://real.server.com:8050/ > > > > > > > > > > > > This all works great for all of the base URLs on the root level. The > > > > > > home > > > > > > page URLs on the real server get rewritten and appear to have > > > > > > originated from the proxy server when I mouse over or > > > > > > click on a root-level URL. > > > > > > > > > > > > However, any URL with a subdirectory below the root level on the real > > > > > > server does not get rewritten and the real URL (the complete URL on > > > > > > the real server including the port number 8050) is visible on the > > > > > > proxied web page. > > > > > > > > > > > > Now, how do go I about getting this to work for all of the URLs with > > > > > > subdirectories? I have read through the documentation and I am stuck. > > > > > > > > > > > > Do I need rewrite rules for each URL that has a subdirectly below the > > > > > > root with a subsequent ProxyPass and ProxyPassReverse statement? > > > > > > > > > > > > Do my rewrite rules need to use the proxy flag [P]? Or will they work > > > > > > once written to mimic the root-level rules? > > > > > > > > > > > > Many thanks in advance for any help that you may provide.... > > > > > > > > > > > > > > > > > > -=jeff > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > The official User-To-User support forum of the Apache HTTP Server > > > > > > Project. > > > > > > See for > > > > more info. > > > > > > To unsubscribe, e-mail: > > > > users-unsubscribe@httpd.apache.org > > > > > > " from the digest: > > > > users-digest-unsubscribe@httpd.apache.org > > > > > > For additional commands, e-mail: users-help@httpd.apache.org > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > The official User-To-User support forum of the Apache HTTP Server > > > > Project. > > > > > > See for > > > > more info. > > > > > > To unsubscribe, e-mail: > > > > users-unsubscribe@httpd.apache.org > > > > > > " from the digest: > > > > users-digest-unsubscribe@httpd.apache.org > > > > > > For additional commands, e-mail: users-help@httpd.apache.org > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > The official User-To-User support forum of the Apache HTTP Server Project. > > > > > See for > > > > more info. > > > > > To unsubscribe, e-mail: > > > > users-unsubscribe@httpd.apache.org > > > > > " from the digest: > > > > users-digest-unsubscribe@httpd.apache.org > > > > > For additional commands, e-mail: users-help@httpd.apache.org > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > The official User-To-User support forum of the Apache HTTP Server Project. > > > See for more info. > > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > > > " from the digest: users-digest-unsubscribe@httpd.apache.org > > > For additional commands, e-mail: users-help@httpd.apache.org > > > > > > > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP Server Project. > > See for more info. > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > > " from the digest: users-digest-unsubscribe@httpd.apache.org > > For additional commands, e-mail: users-help@httpd.apache.org > > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org