httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Frey <rainer.f...@inxmail.de>
Subject Re: [users@httpd] mod_proxy ProxyPassReverse incorrectly adjusting Location header in redirect?
Date Thu, 12 Apr 2012 06:28:15 GMT
Hi,

I don't know the solution out of my head, but maybe pointing out what goes wrong helps you
already.

On 11.04.2012, at 18:11, Charlie Katz wrote:

> Hi, as an interim solution in an internal reorganization of server resources, I 
> want to use mod_proxy as a reverse proxy to move the entire functionality of a 
> public-facing server (www.example.com) to an internal server 
> (internal.example.com).  (configuration at end)
> 
> https is used in this site only for logging in, after which a 302 redirect is 
> issued pointing to http://www.example.com/home.html, and the session continues 
> through http.  I am having trouble getting ProxyPassReverse to rewrite the 
> Location header in the redirect properly.
> 
> Here's the sequence:
> -client sends POST login credentials to https://www.example.com/login.html

So you are in the SSL VirtualHost context, in which the reply is evaluated as well.

> -request is proxied by https://www.example.com to 
> https://internal.example.com/login.html
> -login succeeds, respond with 302 redirect to 
> http://internal.example.com/home.html
> -reply goes to https://www.example.com

Which is the SSL VHost.

> - ******** ProxyPassReverse rewrites the Location header 
> from http://internal.example.com/home.html to https://www.example.com/home.html

Yes. The directive is:
> ProxyPassReverse / http://internal.example.com/

It matches http://internal.example.com/ to the Location header value of http://internal.example.com/home.html,
and replaces it with the /local path/ of '/' within the context of the /current virtual host/,
using either the canonical hostname of the VHost or the original request's hostname depending
on UseCanonicalName directive.

So the result of ProxyPassReverse will *always* be a URL within the current VHost, but you
need to send a redirect to your other, non-SSL VHost.

You'll need a different or additional way to adjust the redirection than ProxyPassReverse
(alone).

One way could be accepting that the client will receive the HTTPS redirect URL, and when it
follows that, explicitly redirect https://www.example.com/home.html to http://www.example.com/home.html

This of course means that the client sees one more redirect.
Another idea is using mod_headers to process the Location header in the proxy response. But
I'm not sure that will work, depending on how Apache will chain mod_proxy and mod_headers
in that case.


> -reply received by client, which acts on the redirect
> 
> The starred ******* step is what is going wrong, as the proxy is changing the 
> http to https despite the explicit "ProxyPassReverse / 
> http://internal.example.com" line.
> 
> I have tried many different tweaks to the configuration, but I always find that 
> the header is rewritten back to https despite my explicitly specifying http in 
> the response.

This is the misunderstanding. The URL as second argument to the ProxyPassReverse directive
is *not* used in the response in any way, it is only used to match a location header returned
by a proxy backend to determine if and what to replace. The replacement is always the current
host URL.

> I feel like I must be misunderstanding something here.  Can anyone help me 
> untangle it?
> 
> Regards,
> Charlie Katz

HTH
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message