I have a setup of the following:
Proxy server: https://proxy-server.com
application server: https://app-server.com
and a CAS (sso) server: https://sso-server.com
I can get the following working:
https://proxy-server.com/cas/login?service=https://app-server.com/app
But the problem for this URL is it exposes the actual app-server, which is behind the proxy server.
Ideally, I want the following:
https://proxy-server.com/cas/login?service=https://proxy-server.com/app
My question is:
Is there a way to hide (use post, encrypt targetService part, callback on proxy side, or...) the app-server.com in the URL? since I have a proxy server in front, I don't want to expose the actual app server name.
thanks
If you're running something like Apache mod_proxy on https://proxy-server.com then you should be able to hide your app behind it. Based on your example it looks like you're already doing that with your cas server since your stated your cas login url as https://proxy-server.com/cas/login
Following the same idea your app can be reached using https://proxy-server.com/app
ProxyPass /cas https://sso-server.com/cas
ProxyPassReverse /cas https://sso-server.com/cas
ProxyPass /app https://app-server.com/app
ProxyPassReverse /app https://app-server.com/app
You'd probably have to modify your serviceUrls so they are relate to proxy-server.com
ProxyPass And ProxyPassReverse Configuration
Proxy HOW-TO
Related
I have a rails application running on a private subnet, using port 8080, without SSL enabled.
I also have an Apache SSL server on a DMZ, which I use as a reverse proxy to the rails application I mention first.
The problem is, rails include some absolute url in the generated code, with adresses beginning with http://...
If i use config.force_ssl = true as I read here or there, there is a infinite redirection, because rails sees the requests coming as plain HTTP and issues a redirect to HTTPS, but as the client already is.
The solution was simple enough: put this line in the reverse proxy configuration file :
RequestHeader set X-Forwarded-Proto "https"
I have configured neo4j in a local machine and it can be easily accessed via LAN (with its IP address like 192.168.22.25:7474).
Now I would like to access the neo4j remotely eg. from my home via web proxy.
What I have tried?
I have changed the dbms.connector.http.address=0.0.0.0:7474 in neo4j.conf file.
In server( IP of server 123.123.123.123) machine I have also added ProxyPass and ProxyPassReverse as follow:
ProxyPass /browser *192.168.22.25:7474/browser
ProxyPassReverse /browser *192.168.22.25:7474/browser
(*could not add http:// here since I could not post two links)
I can access the neo4j remotely like
http://123.123.123.123/browser
but when I tried to login then it does not work further.
Any suggestion is appreciated.
Thanks a lot in advance.
Shrestha
I am trying to setup ProxyPass in Apache 2.4.7 using unix sockets to a puma server for a rails application. I keep receiving a 500 Internal Error. When I check the apache logs I receive this message:
No protocol handler was valid for the URL /. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
This is my proxy config in apache
ProxyPass / unix:///home/rails/rp/tmp/sockets/puma.sock|http://127.0.0.1/
ProxyPassReverse / unix:///home/rails/rp/tmp/sockets/puma.sock|http://127.0.0.1/
If I setup a Proxy Pass on a regular tcp port like this, it works fine.
ProxyPass / http://127.0.0.1:9292
ProxyPassReverse / http://127.0.0.1:9292
Any help is appreciated, let me know if you need anymore information.
In general, there is some point for checking for reverse proxy an http server app over unix socket:
Check if Apache already loaded required modules (proxy & http_proxy) using apachectl -M command
Make sure that socket path is accessible for www-data user (it is default apache user)
Check correctness of running app on unix socket using following command:
curl --unix-socket /var/www/app/socket/path -XGET http:/someMethod
Check that ProxyPreserveHost On already present in your virtual host file and set socket address correctly (as unix:/var/www/path/to/your/socket) and after pipe mark path correctly (as |http://127.0.0.1/what/ever)
Make sure both ProxyPassReverse and ProxyPass is set correctly
I am not sure which proxy handler should handle sockets, so you could try loading them all then see which one does the job for you:
https://httpd.apache.org/docs/trunk/mod/mod_proxy.html
Note that you can also use SetHandler to specify the module you want to handle your connections
Ok, I spent a while to find the solution on one of my old server.
When you have this mod_proxy error, it's because Apache doesn't recognize the proxy module to use behind the unix socket.
Assuming that you obviously already have :
a2enmod proxy
a2enmod proxy_http
service apache2 restart
There's a good chance that your apache config file located at /etc/apache2/mods-available/proxy_http.load is empty
Add theses lines to this file :
# Depends: proxy
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
then
service apache2 restart
I have a load balancer that balances 2 servers A & B on the cloud both of which have apache running on them. A & B can serve all the requests except search which is powered only by A. The search request is through http://example.com/search. If B was to receive such a request, how can I forward this request to A and the serve the response received from server A to client?
PS: I am running Ruby on Rails.
Apache's ProxyPass directive seems to do what you're asking for.
You could do something like this in server B configuration:
ProxyPass /search http://server-A.example.com
Is there some way to secure an ffserver webcam stream using Apache / HTTP Authentication? Some type of Apache proxy perhaps?
Right now I have it so only machines on the LAN can view the http://webcam/stream.mjpg, but I want people from the outside to be able to access it if they provide a username / pw (HTTP Auth, which isn't built into ffserver).
Thanks!
For anyone else looking for the solution, I found it:
Use proxy.conf (apache mod-proxy) with directives such as the following:
ProxyPass |external path| http://internal_lan_ip/internal_path
One of mine that works is:
ProxyPass /proxy/matt.mjpg http://192.168.1.10:8090/matt.mjpg
So externally they are going to:
http://myserver.com/proxy/matt.mjpg
And the stream (matt.mjpg) is coming from a different host on the LAN at
http://192.168.1.10:8090/matt.mjpg.
Thus, myserver.com is a "proxy.com" for internal LAN hosts.