httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Arnold <carn...@electrichendrix.com>
Subject Re: [users@httpd] Rewrite Rule
Date Thu, 25 Apr 2013 17:59:06 GMT
Ooopppsss!! Anyway I can get a mod to delete my last email to the list?

Sent from my iPhone

On Apr 25, 2013, at 1:44 PM, "Chris Arnold" <carnold@electrichendrix.com> wrote:

> Sorry to email you directly but i am doing this to give you the complete unedited config
files. I don't want them on an indexed mailing list for security reasons. Either you or i
can post back to the list so others are aware of the findings.
> 
> So i have made the namevirtualhost edit in my listen.conf file:
> 
> Listen 80
> 
> 
> <IfDefine SSL>
>    <IfDefine !NOSSL>
>    <IfModule mod_ssl.c>
> 
> #        Listen 443
> 
>    </IfModule>
>    </IfDefine>
> </IfDefine>
> 
> 
> # Use name-based virtual hosting
> # 
> # - on a specified address / port:
> #
> #NameVirtualHost 12.34.56.78:80
> #
> # - name-based virtual hosting:
> #
> NameVirtualHost *:443
> 
> Here is the "main" ssl virtual host:
> 
> <IfDefine SSL>
> <IfDefine !NOSSL>
> 
> <VirtualHost *:443>
>    #This will be the default vhost because the name starts with 000
> 
>    #  General setup for the virtual host
>    #DocumentRoot "/srv/www/htdocs"
>    ServerName teknerds.net:443
>    ServerAlias mail.* ifolder.*
> 
>    #This rewrites https://mail.anydomain.tld to our mail server
>    RewriteEngine On
>    RewriteCond %{HTTP_HOST} ^mail\.
>    RewriteCond %{HTTPS} on
>    RewriteRule ^/(.*) https://192.168.124.3/$1 [P]
>    #RedirectMatch ^/$ /zimbra/
> 
>    #This rewrites https://mail.anydomain.tld to our mail server
>    #RewriteEngine On
>    #RewriteLog /var/log/apache2/rewrite.log
>    #RewriteLogLevel 3
>    #RewriteCond %{HTTP_HOST} ^apps\.
>    #RewriteCond %{HTTPS} on
>    #RewriteRule ^/(.*) https://192.168.123.7/rdweb/ [P]
>    #RedirectMatch ^/$ /rdweb/
> 
>    RewriteCond %{HTTP_HOST} ^webmail\.
>    RewriteCond %{HTTPS} on
>    RewriteRule ^/(.*) https://192.168.124.3/$1 [P]
>    
>    #This rewrites https://ifolder.anydomain.tld to our ifolder server
>    #RewriteCond %{HTTP_HOST} ^ifolder\.
>    #RewriteCond %{HTTPS} on
>    #RewriteRule ^/(.*) https://192.168.123.4/ifolder/$1 [P]
>    #RedirectMatch ^/$ /ifolder/
> 
>    #This rewrites https://share.anydomain.tld to our alfresco server
>    #RewriteCond %{HTTP_HOST} ^share\.
>    #RewriteCond %{HTTPS} on
>    #RewriteRule ^/(.*) http://192.168.123.3:8080/share/$1 [P]
>    
>    #ServerAdmin webmaster@example.com
>    ErrorLog /var/log/apache2/error_log
>    TransferLog /var/log/apache2/access_log
> 
>    SSLProxyEngine On
>    ProxyPreserveHost On
>    ProxyPass /ifolder https://192.168.123.4/ifolder
>    ProxyPassReverse /ifolder https://192.168.123.4/ifolder
>    ProxyPass /simias10 https://192.168.123.4/simias10
>    ProxyPassReverse /simias10 https://192.168.123.4/simias10
>    ProxyPass /admin https://192.168.123.4/admin
>    ProxyPassReverse /admin https://192.168.123.4/admin
>    ProxyPass /nps https://192.168.123.4/nps
>    ProxyPassReverse /nps https://192.168.123.4/nps
>    
>    #ProxyPass / https://192.168.124.3/
>    #ProxyPassReverse / https://192.168.124.3/
>    #<Proxy *>
>    #    Order allow,deny
>    #    Allow from all
>    #</Proxy>
> 
>    #   SSL Engine Switch:
>    #   Enable/Disable SSL for this virtual host.
>    SSLEngine on
> 
>    #   SSL Cipher Suite:
>    #   List the ciphers that the client is permitted to negotiate.
>    #   See the mod_ssl documentation for a complete list.
>    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> 
>    #   Server Certificate:
>    #   Point SSLCertificateFile at a PEM encoded certificate.  If
>    #   the certificate is encrypted, then you will be prompted for a
>    #   pass phrase.  Note that a kill -HUP will prompt again.  Keep
>    #   in mind that if you have both an RSA and a DSA certificate you
>    #   can configure both in parallel (to also allow the use of DSA
>    #   ciphers, etc.)
>    SSLCertificateFile /etc/apache2/ssl.crt/server.crt
> 
> Here is the apps virtualhost file:
> 
> <VirtualHost *:443>
>  ServerName apps.teknerds.net
>  SSLEngine On
>  SSLCertificateFile /etc/apache2/ssl.crt/server.crt
>  SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
> 
>  ProxyPass / https://192.168.123.7/rdweb
>  ProxyPassReverse / https://192.168.123.7/rdweb
> 
>    ErrorLog /var/log/apache2/apps.error_log
>    TransferLog /var/log/apache2/apps.access_log
> </VirtualHost> 
> 
> With this present config, when going to https://apps.teknerds.net in IE 8, internet explorer
can not display the web page. The apps.error log does not show anything in it except the certificate
name not matching.
> Also in this present config, webmail stops working and ifolder stops working. These are
in the "main" ssl virtualhost and you access them by https://mail.teknerds.net and https://teknerds.net/ifolder.
I am going to undo the listen.conf edit and rename the apps ssl host file as we have customers
that use these resources.
> Should you want access to the server, i can supply that, just let me know. Thanks for
the help
> 
> ----- Original Message -----
> From: "Tom Evans" <tevans.uk@googlemail.com>
> To: users@httpd.apache.org
> Sent: Thursday, April 25, 2013 12:39:47 PM
> Subject: Re: [users@httpd] Rewrite Rule
> 
> On Thu, Apr 25, 2013 at 4:53 PM, Chris Arnold
> <carnold@electrichendrix.com> wrote:
>> On Apr 25, 2013, at 11:32 AM, "Tom Evans" wrote:
>> 
>>> It looks like you are rewriting it to it's current location. This
>>> leads to a loop.
>>> 
>>> Why are you using rewrite rules anyway?
>> 
>> Because reverse proxy does not work
> 
> ...
> 
> The *only* way to get content from a backend is via reverse proxy.
> 
>> 
>> 
>>> It seems like you want to
>>> reverse proxy from an apache server with a public IP to a backend
>>> webserver in your private LAN. Where do rewrite rules come in to this?
>>> Why are you checking the host name in your rewrite rules, instead of
>>> using vhosts? Why is this not your configuration:
>> 
>> As I stated in an earlier post, apache does not start when more than 1 ssl
>> virtual host (complains about overlap)
> 
> Not using vhosts is frankly more trouble than it is worth. Use vhosts.
> Post about the problem that using vhosts gives you. You must be using
> the same certificate for both hostnames anyway (presumably a wildcard
> cert or using subjectAltName, or you just ignore the errors?), so the
> configuration should be pretty straightforward.
> 
>> 
>> 
>>> ServerName apps.tld
>>> ProxyPass / https://192.168.123.7/
>>> ProxyPassReverse / https://192.168.123.7/
>> 
>> We have many different things that run on this server and apache handles
>> them. When using "/" in your proxy config, everything stops working, email,
>> other websites etc.
> 
> So don't proxy from /, or add specific excludes for the paths you do
> not want to be proxied:
> 
> ProxyPass /email !
> ProxyPass / https://192.168.123.7/
> 
> Again, this problem goes away if you correctly separate out your
> separate hosts into their own vhost configuration.
> 
>> 
>>> 
>>> I'm very confused by what you're trying to achieve.
>> 
>> I covered this in my first email but will try to describe it again: server
>> behind an apache server that we need users to get to using
>> https://apps.domain.tld. The app resides at http:///sub. We need apache to
>> catch the https://apps.domain.tld request and send to https://another
>> server/sub
> 
> 
> NameVirtualHost *:443
> 
> <VirtualHost *:443>
>  ServerName www.domain.tld
>  SSLEngine On
>  SSLCertificateFile ..
>  SSLCertificateKeyFile ..
> 
>  # All your current directives that apply to www
> </VirtualHost>
> 
> <VirtualHost *:443>
>  ServerName apps.domain.tld
>  SSLEngine On
>  SSLCertificateFile ..
>  SSLCertificateKeyFile ..
> 
>  ProxyPass / https://192.168.123.7/
>  ProxyPassReverse / https://192.168.123.7/
> </VirtualHost>
> 
> Cheers
> 
> Tom
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

Mime
View raw message