Apache2: Unterschied zwischen den Versionen
Cbs (Diskussion | Beiträge) (Die Seite wurde neu angelegt: [http://www.debian-administration.org/users/lee/weblog/start/28 VIA] I hit a tricky issue setting up an apache2 based https reverse proxy today. Essentially, the publ...) |
Cbs (Diskussion | Beiträge) |
||
| Zeile 1: | Zeile 1: | ||
| + | ==Global parameters== | ||
| + | IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable | ||
| + | Direcrory-Indexing Options.<br/> | ||
| + | diese haben auswirkung auf die 'Options +Indexes' angabe, also das directory-listing... | ||
| + | |||
| + | ==Proxy config== | ||
[http://www.debian-administration.org/users/lee/weblog/start/28 VIA] | [http://www.debian-administration.org/users/lee/weblog/start/28 VIA] | ||
Version vom 16. Oktober 2009, 12:17 Uhr
Global parameters
IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable
Direcrory-Indexing Options.
diese haben auswirkung auf die 'Options +Indexes' angabe, also das directory-listing...
Proxy config
I hit a tricky issue setting up an apache2 based https reverse proxy today.
Essentially, the public address https://secure.example.com/ is a reverse proxy to a private application server on backend.private.example.com . Since the backend application server uses specific hostnames, we need to preserve the hostname when proxying. The apache configuration fragment is straight forward:
<IfModule mod_proxy.c>
<Proxy *>
Order deny,allow
Allow from all
<Proxy>
ProxyRequests Off
ProxyVia Off
ProxyErrorOverride Off
ProxyPreserveHost On
ProxyPassReverse / http://backend.private.example.com/
ProxyPass / http://backend.private.example.com/
</IfModule>
The problem is that we have another server, media.example.com that acts as a frontend for our distributed media storage. In normal http served pages embeded media directly refers to this sever in the html. However, for https pages, media being served from another site will result in error dialogs for the user.
The short term work around was to serve all media from under https://secure.example.com/media/ and to implement a reverse proxy for "/media/" on the application server. This works, but is less than ideal.
What I need to do is specify two different proxies, which is ususally supported by apache2 mod_proxy:
ProxyPass /media/ http://media.example.com/ ProxyPass / http://backend.private.example.com/
But this doesn't work for me, since media.example.com requires that media.example.com be sent as the host identifier. Since ProxyPreserveHost needs to be on for the application server, it's attempting to send secure.example.com to media.example.com. I can't modify media.example.com to recognise this additional name. ProxyPreserveHost can only be set once per VirtualHost, so I can't enclose it in a Location block or similar.
Looking around for a solution I came across a patch, proxy-sethost.patch, but loathe as I am to patch binaries to do things that can be done in configuration, I tried implementing the suggested RequestHeader workaround ("a2enmod headers" if not already enabled).
<IfModule mod_proxy.c>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyVia Off
ProxyErrorOverride Off
ProxyPreserveHost On
<IfModule mod_headers.c>
<Proxy "http://media.example.com/">
RequestHeader set Host media.example.com
</Proxy>
ProxyPass /media/ http://media.example.com/
ProxyPassReverse /media/ http://media.example.com/
</IfModule>
ProxyPass / http://backend.private.example.com/
ProxyPassReverse / http://backend.private.example.com/
</IfModule>
A quick test, and checking the logs of media.example.com, show requests are now coming from the frontend proxy rather than the app server, so that looks to have done the trick.
