Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Users

mod_proxy: ProxyPassReverse ignored with ProxyPreserveHost?

 

 

Apache users RSS feed   Index | Next | Previous | View Threaded


ron.vandenbranden at kantl

Mar 29, 2012, 9:06 AM

Post #1 of 8 (1274 views)
Permalink
mod_proxy: ProxyPassReverse ignored with ProxyPreserveHost?

Hi,

Apologies for reposting that soon, but I've been thinking more about my
question earlier today (see
<http://markmail.org/message/z3rkvqjjrvecllph>). So, rather than
appearing impatient, I would like to rephrase that question more
clearly. Basically, I have the impression that when ProxyPreserveHost
is switched on, ProxyPassReverse seems to be ignored.

I'll briefly illustrate this observation. With following settings in
httpd.conf:

ProxyPreserveHost off
ProxyPass /apps/ http://localhost:8082/
ProxyPassReverse /apps/ http://localhost:8082/
ProxyPassReverseCookiePath /apps/ /

I can successfully proxy a request for <http://mydomain/apps/my_app/> to
a Tomcat app at <http://localhost:8082/my_app/>. The ProxyPassReverse
directive is working properly, as can be seen for requests that cause an
internal redirection in the Tomcat app: <http://mydomain/apps/my_app/>
correctly redirects (internally, via Tomcat) to
<http://mydomain/apps/my_app/index.htm>.

Yet, when switching on ProxyPreserveHost, internal redirects via Tomcat
fail:

ProxyPreserveHost off
ProxyPass /apps/ http://localhost:8082/
ProxyPassReverse /apps/ http://localhost:8082/
ProxyPassReverseCookiePath /apps/ /

A request for <http://mydomain/apps/my_app/> now redirects to
<http://mydomain/my_app/index.htm>. Moreover, I have the impression
/anything/ can be entered for ProxyPassReverse without making any
difference, e.g.:

ProxyPassReverse /apps/whatever/ http://localhost:8082/

This doesn't affect the redirected URL whatsoever: it always is
redirected to <http://mydomain/my_app/index.htm>. However, with
ProxyPreserveHost switched off, above rule does redirect the original
request to <http://mydomain/apps/whatever/my_app/index.htm>, which is
what I'd expect.

So, my question is: (how) can ProxyPassReverse be made to work in
combination with ProxyPreserveHost?

Kind regards,

Ron


tevans.uk at googlemail

Mar 29, 2012, 9:22 AM

Post #2 of 8 (1281 views)
Permalink
Re: mod_proxy: ProxyPassReverse ignored with ProxyPreserveHost? [In reply to]

On Thu, Mar 29, 2012 at 5:06 PM, Ron Van den Branden
<ron.vandenbranden [at] kantl> wrote:
> Hi,
>
> Apologies for reposting that soon, but I've been thinking more about my
> question earlier today (see <http://markmail.org/message/z3rkvqjjrvecllph>).
> So, rather than appearing impatient, I would like to rephrase that question
> more clearly. Basically, I have the impression that when  ProxyPreserveHost
> is switched on, ProxyPassReverse seems to be ignored.
>
> I'll briefly illustrate this observation. With following settings in
> httpd.conf:
>
> ProxyPreserveHost off
> ProxyPass /apps/ http://localhost:8082/
> ProxyPassReverse /apps/ http://localhost:8082/
> ProxyPassReverseCookiePath /apps/ /
>
> I can successfully proxy a request for <http://mydomain/apps/my_app/> to a
> Tomcat app at <http://localhost:8082/my_app/>. The ProxyPassReverse
> directive is working properly, as can be seen for requests that cause an
> internal redirection in the Tomcat app: <http://mydomain/apps/my_app/>
> correctly redirects (internally, via Tomcat) to
> <http://mydomain/apps/my_app/index.htm>.
>
> Yet, when switching on ProxyPreserveHost, internal redirects via Tomcat
> fail:
>
> ProxyPreserveHost off
^^^^ This should be "on" surely?
> ProxyPass /apps/ http://localhost:8082/
> ProxyPassReverse /apps/ http://localhost:8082/
> ProxyPassReverseCookiePath /apps/ /
>
> A request for <http://mydomain/apps/my_app/> now redirects to
> <http://mydomain/my_app/index.htm>. Moreover, I have the impression anything
> can be entered for ProxyPassReverse without making any difference, e.g.:
>
> ProxyPassReverse /apps/whatever/ http://localhost:8082/
>
> This doesn't affect the redirected URL whatsoever: it always is redirected
> to <http://mydomain/my_app/index.htm>. However, with ProxyPreserveHost
> switched off, above rule does redirect the original request to
> <http://mydomain/apps/whatever/my_app/index.htm>, which is what I'd expect.
>
> So, my question is: (how) can ProxyPassReverse be made to work in
> combination with ProxyPreserveHost?
>
> Kind regards,
>
> Ron

ProxyPassReverse has a *very* specific meaning. When it sees a header
value with the 2nd argument, it will replace it with the first
argument, and then use standard apache semantics to turn that into a
fully qualified URL. See UseCanonicalName for details on that.

So, what URL does your backend server generate? Does the Location
header, as seen by Apache, contain "http://localhost:8082/" when
ProxyPreserveHost is on, or does it contain something else?

The best way to debug reverse proxying is to run tcpdump on the proxy
server. That way, you can see the request as the reverse proxy sees
it, the request as the backend sees it, the raw response generated by
the backend and the processed response returned by the proxy. Without
seeing those things, we're probably just guessing.

If you can't use tcpdump, you will need to find some other way of
examining the "Location" header, eg a custom log format.

Cheers

Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


ron.vandenbranden at kantl

Mar 29, 2012, 10:54 AM

Post #3 of 8 (1238 views)
Permalink
Re: mod_proxy: ProxyPassReverse ignored with ProxyPreserveHost? [In reply to]

Hi,

Thanks for your detailed suggestions, Tom.

On 29/03/2012 18:22, Tom Evans wrote:
> On Thu, Mar 29, 2012 at 5:06 PM, Ron Van den Branden
> <ron.vandenbranden [at] kantl> wrote:
>> Yet, when switching on ProxyPreserveHost, internal redirects via Tomcat
>> fail:
>>
>> ProxyPreserveHost off
> ^^^^ This should be "on" surely?

Ouch, my bad, sorry. Surely, 'on' is what I meant.

> So, what URL does your backend server generate? Does the Location
> header, as seen by Apache, contain "http://localhost:8082/" when
> ProxyPreserveHost is on, or does it contain something else?
>
> The best way to debug reverse proxying is to run tcpdump on the proxy
> server. That way, you can see the request as the reverse proxy sees
> it, the request as the backend sees it, the raw response generated by
> the backend and the processed response returned by the proxy. Without
> seeing those things, we're probably just guessing.

I've briefly checked: I can run tcpdump on the proxy server. Yet, I
don't know it at all. Do you perhaps know the command to achieve the
task you mention, so I can produce more useful reports? Un/fortunately,
I'm leaving on holiday tomorrow; but maybe I still have some time to
look into this tonight.

Kind regards,

Ron

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


icicimov at gmail

Mar 29, 2012, 2:41 PM

Post #4 of 8 (1234 views)
Permalink
Re: mod_proxy: ProxyPassReverse ignored with ProxyPreserveHost? [In reply to]

tcpdump -vvv -X -s 0 -i eth0 tcp port 8080

Needs to be run as root. Replace port 8080 with what ever port you need.
Option "-i eth0" is just in case you have more than one network interfaces.
If you use it make sure to replace eth0 with correct value for your server.
On Mar 30, 2012 4:55 AM, "ron.vandenbranden [at] hom" <
ron.vandenbranden [at] kantl> wrote:

> Hi,
>
> Thanks for your detailed suggestions, Tom.
>
> On 29/03/2012 18:22, Tom Evans wrote:
>
>> On Thu, Mar 29, 2012 at 5:06 PM, Ron Van den Branden
>> <ron.vandenbranden [at] kantl> wrote:
>>
>>> Yet, when switching on ProxyPreserveHost, internal redirects via Tomcat
>>> fail:
>>>
>>> ProxyPreserveHost off
>>>
>> ^^^^ This should be "on" surely?
>>
>
> Ouch, my bad, sorry. Surely, 'on' is what I meant.
>
> So, what URL does your backend server generate? Does the Location
>> header, as seen by Apache, contain "http://localhost:8082/" when
>> ProxyPreserveHost is on, or does it contain something else?
>>
>> The best way to debug reverse proxying is to run tcpdump on the proxy
>> server. That way, you can see the request as the reverse proxy sees
>> it, the request as the backend sees it, the raw response generated by
>> the backend and the processed response returned by the proxy. Without
>> seeing those things, we're probably just guessing.
>>
>
> I've briefly checked: I can run tcpdump on the proxy server. Yet, I don't
> know it at all. Do you perhaps know the command to achieve the task you
> mention, so I can produce more useful reports? Un/fortunately, I'm leaving
> on holiday tomorrow; but maybe I still have some time to look into this
> tonight.
>
> Kind regards,
>
> Ron
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe [at] httpd**apache.org<users-unsubscribe [at] httpd>
> For additional commands, e-mail: users-help [at] httpd
>
>


icicimov at gmail

Mar 29, 2012, 2:45 PM

Post #5 of 8 (1237 views)
Permalink
Re: mod_proxy: ProxyPassReverse ignored with ProxyPreserveHost? [In reply to]

Or

tcpdump -vvv -X -s 0 -i eth0 -n -w tcpdump.pcap tcp port 8080

If you want to dump into a file tcpdump.pcap to inspect it later with
Wireshark.
On Mar 30, 2012 8:41 AM, "Igor Cicimov" <icicimov [at] gmail> wrote:

> tcpdump -vvv -X -s 0 -i eth0 tcp port 8080
>
> Needs to be run as root. Replace port 8080 with what ever port you need.
> Option "-i eth0" is just in case you have more than one network interfaces.
> If you use it make sure to replace eth0 with correct value for your server.
> On Mar 30, 2012 4:55 AM, "ron.vandenbranden [at] hom" <
> ron.vandenbranden [at] kantl> wrote:
>
>> Hi,
>>
>> Thanks for your detailed suggestions, Tom.
>>
>> On 29/03/2012 18:22, Tom Evans wrote:
>>
>>> On Thu, Mar 29, 2012 at 5:06 PM, Ron Van den Branden
>>> <ron.vandenbranden [at] kantl> wrote:
>>>
>>>> Yet, when switching on ProxyPreserveHost, internal redirects via Tomcat
>>>> fail:
>>>>
>>>> ProxyPreserveHost off
>>>>
>>> ^^^^ This should be "on" surely?
>>>
>>
>> Ouch, my bad, sorry. Surely, 'on' is what I meant.
>>
>> So, what URL does your backend server generate? Does the Location
>>> header, as seen by Apache, contain "http://localhost:8082/" when
>>> ProxyPreserveHost is on, or does it contain something else?
>>>
>>> The best way to debug reverse proxying is to run tcpdump on the proxy
>>> server. That way, you can see the request as the reverse proxy sees
>>> it, the request as the backend sees it, the raw response generated by
>>> the backend and the processed response returned by the proxy. Without
>>> seeing those things, we're probably just guessing.
>>>
>>
>> I've briefly checked: I can run tcpdump on the proxy server. Yet, I don't
>> know it at all. Do you perhaps know the command to achieve the task you
>> mention, so I can produce more useful reports? Un/fortunately, I'm leaving
>> on holiday tomorrow; but maybe I still have some time to look into this
>> tonight.
>>
>> Kind regards,
>>
>> Ron
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe [at] httpd**apache.org<users-unsubscribe [at] httpd>
>> For additional commands, e-mail: users-help [at] httpd
>>
>>


ron.vandenbranden at kantl

Mar 29, 2012, 3:32 PM

Post #6 of 8 (1229 views)
Permalink
Re: mod_proxy: ProxyPassReverse ignored with ProxyPreserveHost? [In reply to]

Thanks, Igor.

On Mar 30, 2012 8:41 AM, "Igor Cicimov" <icicimov [at] gmail
<mailto:icicimov [at] gmail>> wrote:
>
> tcpdump -vvv -X -s 0 -i eth0 tcp port 8080
>
> Needs to be run as root. Replace port 8080 with what ever port you
> need. Option "-i eth0" is just in case you have more than one
> network interfaces. If you use it make sure to replace eth0 with
> correct value for your server.
>

Hmm, tcpdump returns nothing for reverse proxied requests: while
<http://mydomain/apps/my_app/> is correctly proxied to
<http://localhost:8082/my_app/>, nothing of this is traced by tcpdump.

OTOH, direct (non-proxied) requests are picked up:
<http://mydomain:8080/my_app/> returns a load of tcpdump output.

Best,

Ron


Bruno.Treguier at shom

Mar 29, 2012, 10:09 PM

Post #7 of 8 (1233 views)
Permalink
Re: mod_proxy: ProxyPassReverse ignored with ProxyPreserveHost? [In reply to]

Le 30/03/2012 à 0:32, ron.vandenbranden [at] hom a écrit :
> Thanks, Igor.
>
> On Mar 30, 2012 8:41 AM, "Igor Cicimov" <icicimov [at] gmail
> <mailto:icicimov [at] gmail>> wrote:
>>
>> tcpdump -vvv -X -s 0 -i eth0 tcp port 8080
>>
>> Needs to be run as root. Replace port 8080 with what ever port you
>> need. Option "-i eth0" is just in case you have more than one
>> network interfaces. If you use it make sure to replace eth0 with
>> correct value for your server.
>>
>
> Hmm, tcpdump returns nothing for reverse proxied requests: while
> <http://mydomain/apps/my_app/> is correctly proxied to
> <http://localhost:8082/my_app/>, nothing of this is traced by tcpdump.

Hi,

This is probably because the proxied requests are using the "loopback"
interface, so in order to capture both dialogues (between your client
and your "proxy" vhost, and between your "proxy" vhost and your app
vhost, you need to use the "any" pseudo-interface (meaning all the
interfaces than can be found on your machine), and monitor both ports
(8080 and 8082):

tcpdump -vvv -X -s 0 -i any port 8080 or port 8082

If you're only interested in proxied requests, then using the "lo"
interface and asking for what's using port 8082 is sufficient:

tcpdump -vvv -X -s 0 -i lo port 8082

Best regards,

Bruno

--
- Service Hydrographique et Oceanographique de la Marine - DMGS/INF
- 13, rue du Chatellier - CS 92803 - 29228 Brest Cedex 2, FRANCE
- Phone: +33 2 98 22 17 49 - Email: Bruno.Treguier [at] shom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


ron.vandenbranden at kantl

Mar 30, 2012, 12:07 AM

Post #8 of 8 (1234 views)
Permalink
Re: mod_proxy: ProxyPassReverse ignored with ProxyPreserveHost? [In reply to]

Ok,

Tried this version:

On 30/03/2012 7:09, Bruno Tréguier wrote:
> tcpdump -vvv -X -s 0 -i any port 8080 or port 8082

And captured 4 scenarios, dumped to different files:
-preserveHostOn_noredirect.out: ProxyPreserveHost = on + proxy
request not resulting in a redirect (successful request)
-preserveHostOn_redirect.out: ProxyPreserveHost = on + proxy
request resulting in a redirect (failing request)
-preserveHostOff_noredirect.out: ProxyPreserveHost = off + proxy
request not resulting in a redirect (successful request)
-preserveHostOff_redirect.out: ProxyPreserveHost = off + proxy
request resulting in a redirect (successful request)
(note: I've issued these requests to the real webapp, instead of the
simplified URLs I illustrated my question with; actual paths differ but
principle is the same)

I've attached them in a zip file. Does this help?

Again, many thanks to all for helping me out so far!

Kind regards,

Ron
Attachments: tcpdump.zip (11.8 KB)

Apache users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.