Apache :: Remote User Reverse Proxy And Authentication
Dec 17, 2013
I have several applications that use authentication and expect REMOTE_USER to be set by Apache for authentication/authorization.
I am putting a reverse proxy, with shibboleth in front of these applications, on a separate server.
Currently, REMOTE_USER is not sent. I have tried a few things, and I am currently sending it inside another header, but I have some applications that are closed sources and this will not work.
Is this possible to do? I am running this with Apache 2.4.7, I believe, on the Windows platform.
We have been using Apache 2.2.x with reverse proxy modules for our clients to access their OWA servers for over a year. I want to get us to Apache 2.4.x so I setup a test box with latest 2.4 on it. I fixed the config file issues since 2.4 has changes in it. OWA proxy is working on my test server with Apache 2.4. But with 2.4 I do have an issue I cannot figure out. Note that this does NOT occur with Apache 2.2. I get the following errors when using ActiveSync through reverse proxy:
[Thu Oct 17 12:19:11.670665 2013] [proxy_http:error] [pid 748:tid 8440] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : [client x.x.x.x:20311] AH01102: error reading status line from remote server mail.nameredacted.net:443 [Thu Oct 17 12:19:11.670665 2013] [proxy:error] [pid 748:tid 8440] [client x.x.x.x:20311] AH00898: Error reading from remote server returned by /Microsoft-Server-ActiveSync
So somehow with Apache 2.4 there is some sort of timeout that was not there with 2.2.
Loading a page with ~150 files (most images and js files) i keep runing into "locked requests" that are not comeing back and block the whole page from finishing loading. The files differ every time.
I see this warnings in my error.log (looks like they are connected to the behauviour above).
Code:
[Tue Nov 19 20:38:10.890013 2013] [cache_disk:warn] [pid 216692:tid 15924] (OS 5)Access is denied. : [client x.x.x.x:58963] AH00699: rename tempfile to file failed: C:/temp/cache/aptmpcBQArf -> C:/temp/cache/H8Cta/9ha4U/Uhhhs/OlQfU/1Q.data,
I m trying to setup a reverse proxy with several site that will redirect the request into several internal server.I wanted to do that with several VirtualHost (like shown below). Unfortunatly whatever I type on my browser testsupport.xxxx.com or support2.xxxx.com I m redirected at the first of the config file (in the exemple http://10.253.12.41/.Is it the ServerName key that will redirect to the right proxypass ?
We are struggling to configure our Apache reverse proxy (on WIN 2008) server to force https.
We have the cert installed on the proxy server, and it seems to be working but we are unable to force connections to https: and the site is still available via http:
How do you enforce https on the site?
reading read about the .htaccess file, virtual hosts but still having a hell of a time putting it all together
I'm trying to do a setup of alfresco.It has two basic sites. [URL]. Both use kerberos authentication. Alfresco has SSO and share has not. Both sites are on the same server (its just one site but different subs)
I want to put this behind a reverse proxy to eliminate the servername:port combination.
When I put it in a normal config with ajp everything works fine for the share website. I can login without problems. Not so however for the alfresco website. I get a browser login request (not the alfresco one) when i enter my credentials he asks them again and again and then he ends on the regular login page of alfresco at which point everything works. The username I entered is displayed at this point. When I do not enter my credentials correct I do not reach the page.
If I remove the SSO from the alfresco website everything is normal (but i have to login)
I'm currently in the process of configuring a red hat linux server as a proxy server for a number of back end web servers. I set up reverse proxying to hide the web server url's, but I've run into a problem with the second web server, because some of the directory structures are identical on both servers.
I am having a little trouble getting a reverse proxy redirect to work. I have a Linux server running Apache2. I have installed SABnzbd+, Sickbeard, Couchpotato & Headphones onto this device. I want to access SABnzbd+, Sickbeard, Couchpotato & Headphones from the outside world (via a DYNDNS name).
I know that I could just forward the ports through the router, but I don't want all the extra ports opened. I was told that I can have Apache to do a revers proxy, but I can't get it to work. I basically want to be able to do type myname.dyndns.org/sickbeard instead of typing in myname.dyndns.org:8081.
I am running a few different web servers on my home network and have found a way of binding each wb server (and any virtual hosts) to domain names and having a "central" web server rerouting a request to the appropriate server using reverse-proy. at the moment, this central web server is IIS (Windows Server 2008 R2) based and it works perfectly. I want to change the central server to an Apache based one.
As an example; I want the central server to see an incoming http request (e.g sub.domain.com) and reroute it using reverse-proxy to a different web server that wouldn't normaly be accessible from the Internet (e.g 192.168.1.122/index.html).
My question is how do you reverse-proxy to a different server on the LAN with mod_rewrite in Apache?
I am trying to set up a reverse proxy to the application Surveillance Station on my Synology NAS. Altough the reverse proxy works ok for other apps like Webadmin, Download Station and such, parts of the Surveillance Station app do not work, particulary the Live View & Time Line.
From the logs, I suspect an authorisation problem (because of the 401), but I'm not sure. I have tried ProxyPreserveHost on, ProxyVia full, and some rewrite rules, but I'm not sure what I'm doing Direct access to the port of the app works (i.e. 83.xxx.x.xxx:9900), so i know it has something to do with the reverse proxy.
I've been working with the Apache server (primary under CentOS, but some under Red Hat and on XAMPP stacks as well) and have been tasked with a project.
Periodically, we need to have our web sites down for maintenance - updates, backups, etc. What I've been told to do is find a way to have a 'front end' to our web sites so that, when they are down for maintenance, that then end-users will receive a message 'This site is down for maintenance till XX:XX AM/PM' or such.
Here are my questions:
- What would you call what I am trying to setup? The reading I've done implies that what I really want to setup is a reverse proxy server. Is that what I want to do? - If it isn't a reverse proxy I want to set up, what do I want to setup? - Of the different types of solutions available, What I could use for this? I've read about using Nginx in front of Apache, I've heard of Squid, I've heard about Tomcat. - Is this a type of 'clustering/high availability' project I'm really looking at here? I've been hearing those terms thrown about as well.
In case it makes any kind of a difference, the Apache instances are pretty simple - PHP, MySQL and that's about it - not very involved (for now). I'm hoping that I can learn what/how to do this correctly and, when I'm ready to add more capabilities, that I'll be able to extrapolate out from there what I'd need to do.
-1 Public IP -Host Windows Server 2008 R2 AD/DNS/Hyper-V (server0) + VM Windows Server 2008 R2 Exchange 2010/IIS (server1) + VM Ubuntu server 13.11 Apache 2.4.6 with virtual hosts (server2) + VM Windows Server 2008 R2 Blackberry Enterprise Server running on a Jboss webserver (server3) -All port 80,443 requests points Ubuntu server 13.11 (server2)
Within Apache 2.4.6 I have virtualhost where the setup are as followed
For learning purpose I am configuring a blackberry enterprise server(bes) on server3. It's a clean installation with only the needed applications to run a bes. Because I only have 1 public ip I am trying to reverse proxy this webservice two like server1. The bes webservice is configured to accept connections on port 443. So my first web.conf setup was similar to the setup I used for server1 but I noticed that the webpage was displayed but I couldn't interact with the page because it was a java application. So digging deeper into this i found that the webpage that bes provided me to use isn't the real application but more like a iframe setup.
Example: BES Console address: https://server3.com/webconsole/login Real address: https://server3.com/websconsole/app
Unfortunately after finding this and editing my web.conf to proxypass reverse to this real address I encountered a other problem. The bes webconsole works with session is and parameters
Currently i am trying to install an Apache 2.4.3 as a caching reverse proxy. I would like to use memcached as my cache backend. I figured out there is a mod_socache_memcache, which from my understanding, should do exactly that(in combination with mod_cache_socache). So i compiled mod_cache_socache from trunk, loaded mod_cache, mod_cache_socache and mod_socache_memcache, but now i am stuck with the configuration. Here is what i tried:
where do i configure the path to my memcached instance? The reason for memcached as chaching backend, is that the machine is a windows machine, and from my understanding mod_cache_disk is not as efficient on a NTFS filesystem as it is on EXT3/4.
Another reason is, that later on there should be a possibility to put a second Reverse Proxy machine which shares the cache with the first one by using the same memcached instance (is that possible at all?).
I am trying to do reverse proxy for several web servers in my network.I have successfully configure the reverse proxy.However , when website with multimedia webpages are requested , the multimedia content is not displaying. What is is that I am missing in my config file.
I have an Apache reverse proxy set up. I have an IIS server on the backend with a site which must be HTTPS and must require client certificates (x509). It seems like the proxy is working great, but the client certificate is not getting passed along the HTTPS request from proxy to IIS. We keep getting 403.7 (Client certificate required) errors. How I can bridge the client certificate from Apache reverse proxy to IIS?
Our Apache proxy is not set up to require client certs, the IIS website is. What I would expect is that when we make a web request that goes through the proxy to the IIS server, that we would get challenged for a client cert for the IIS website (its set to require client certs like it always has) and that client cert information would be passed along the HTTPS request. We have to be able to programatically access the x509 cert through code on the IIS website, thats why we need to have the cert passed along.
I've set up a reverse proxy using the Ubuntu Apache2 package (2.2.2, with evidently an old version of mod_proxy_html), and it's about 50% functional, but certain images aren't loading.
I've tried with and without ProxyHTMLExtended on, but even with it on I'm not convinced that any non-inline scripts or CSS files are being properly handled, as they are being directed to my local root directory instead of /app1/, and when it is on, I can no longer log in to the internal webapp.
In the log, the only errors that stand out to me are those referencing things from relative root directories, like /images/* and /ajax/*. The image files are coming from separate CSS files, and it doesn't tell me where exactly the ajax references are originating.
Here is the relevant part of my VH config:
ProxyRequests Off ProxyPass /app1/ http://example.com/ ProxyHTMLURLMap http://example.com /app1
My system consist of Ubuntu 14.04 server running LAMP. I am running Apache 2. On the same machine I am running Shiny server and running my apps through port 4949.
[URL] ....
I also am running an additional Shiny server copy on a virtual box through port 3838. All is running very good. I have an html web page running on Apache 2. I can view it and all my apps running on both Shiny servers from any place on the web.
My concern, however is security. I have port 3838, 4949, and 80 open. How can I set up Apache to run as a reverse proxy for my both of my Shiny servers (ports 4949, and 3838) and also continue to host my web page securely.
I have also attempted to set up a self-signed certificate using the following procedure but it is not working. I used the following instructions and followed them verbatim.
[URL] ....
How to set up a reverse proxy for my Shiny servers?
I'm not sure if this is the right forum, or if anyone can suggest a message board where I might get support on this.
This is what I have. I have Apache and IIS both running on Windows 2k3.
Apache is running in reverse Proxy mode sending multiple domains/virtual hosts to IIS.
Code:
ProxyRequests Off <VirtualHost *:80> ProxyPreserveHost On ProxyPass / http://localhost:8080 ProxyPassReverse / [url] ServerName mydomain.com
</VirtualHost> Now, if I type in [url]everything works great and IIS (listening on 127.0.0.1:8080) serves the page. However, I am doing custom error trapping, so when I type in [url](and /mydirectory doesn't exist on IIS) I need to fire ASP code (via custom error messages/handling) on the IIS server and then present a data driven page.
However, Apache is returning A 502 error:
Code: Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request GET /mydirectory.
Reason: DNS lookup failure for: localhost:8080mydirectory Is there a way for me to setup Apache to pass all error checking to IIS while using it as a reverse proxy?
I'd appreciate if you can point out some links, or if anyone is willing to help me for a fee, we can talk about it.
I have a web application called MyApp
- Each MyApp user has 5gb hosting, and a web interface to manage their files.
- Therefore MyApp user gets a user account on linux machine and has access to only one directory /repo/usr/<user_id> and nowhere else. (suexec?)
- If that MyApp user creates a subdomain from any folder inside his home folder (he can do that using web interface), that folder is readable by www-data user not writable.
- That myapp user is able to mount/unmount his own ftp drives using curlftpfs.
- In short, users can only mess with their own files and they have no access nor rights to any other file that is outside of their home dir.
In short, this is a kind of hosting company server setup. Right now, we will have to manage all this from -only- one powerful server.
I'm using the isapi rewrite module for iis 6 which uses the exact same syntax as mod_rewrite in apache. I'm not very well versed in apache and need getting this to work asap. Basically I have a directory in our website: URL....
I need to forward this to an IP address, for example to this address:100.12.33.45/folder.While keeping the original URL (www.xyz.edu/folder). I'm unsure of the apache syntax for this.
way to centrally login our FTP clients. We currently run ftp1/2/3/4.[url]and would like to have simply [url]which would authenticate the user and push the user to the relevant server.
This would hopefully work in the same way as a Radius Proxy.
if my main site hosted in usa and reverse proxy server located in UK or Canada. will my site load still quickly or be slow dramtically? both use linux and apache. or canada user will quickly load my site or still slow? how about usa customers?
I researched a few options and have come to this conclusion use Ultramonkey (LVS + HA Proxy) -> apache2 mod_php/ mod_python (serve php / python) -> lighttpd (serve static files) -> mongrel (ruby server)