Reverse proxying is problematic
Reverse proxying is problematic
am 02.12.2009 12:02:27 von Robert Schenck
--001485f7759e97249e0479bcd064
Content-Type: text/plain; charset=ISO-8859-1
*I know this is a long read...but I really need help, and felt the best way
for anyone to help me remotely is to explain the issues in their entirety. *
Hello,
I'm trying to set a reverse proxy, but first, some context:
My office is subscribed to few academic journals. These journals verify the
subscription via IP, such that anyone connected to the internet through our
connection can access the journals. However, some individuals would like to
access the journals away from the office as well. We have a VPN, but it only
connects them to our intranet. Therefore, we want to create a reverse proxy
such that the users with connect to the VPN, then to our intranet, and then
to the proxy server, and then, ultimately, to the journal at hand. This
works because the proxy server will be within our intranet, which they have
access to through the VPN. So it will look like so:
Client --> VPN --> Our Intranet --> Reverse Proxy --> Journal
Note that I'm an intern and have had *very *little experience with Apache
and networking in general (and Linux!)...so please explain things fully.
I have attempted to follow this guide:
http://www.apachetutor.org/admin/reverseproxies
I'm running SUSE Linux Enterprise 11, and have installed apache through
zypper. I installed the mod_proxy_html and mod_xml2enc modules via
compiling. They are fully functional. (mod_proxy_html to rewrite links).
In the examples below I'm attempting to reverse proxy both http://aip.organd
http://apl.aip.org. So basically want I want to do is have anything that is
http://aip.org/somepage.html to be http://proxysrv1/aip/somepage.html and
anything that is http://apl.aip.org to be http://proxysrv1/apl/somepage.html.
All of the content on the page must go through the proxy (note: I know that
many of the links lead to other sub-domains, I will include those as
well...but later, I figured I should get these two working first). *Please
do not suggest a different server application like Squid, I'm required to
use Apache. *
So far, I have the following modifications to the http.conf file:
------------------------------------------------------------ ------------------------------------------------------------ ----
Include /etc/apache2/vhosts.d/*.conf
ProxyHTMLEnable On
ProxyHTMLExtended On
ProxyHTMLLinks a href
ProxyHTMLLinks area href
ProxyHTMLLinks link href
ProxyHTMLLinks img src longdesc usemap
ProxyHTMLLinks object classid codebase data usemap
ProxyHTMLLinks q cite
ProxyHTMLLinks blockquote cite
ProxyHTMLLinks ins cite
ProxyHTMLLinks del cite
ProxyHTMLLinks form action
ProxyHTMLLinks input src usemap
ProxyHTMLLinks head profile
ProxyHTMLLinks base href
ProxyHTMLLinks script src for
ProxyHTMLLinks iframe src
ProxyHTMLEvents onclick ondblclick onmousedown onmouseup \
onmouseover onmousemove onmouseout onkeypress \
onkeydown onkeyup onfocus onblur onload \
onunload onsubmit onreset onselect onchange
ProxyRequests Off
ProxyPass /aip/ http://aip.org/
ProxyPassReverse /aip/ http://aip.org/
ProxyHTMLURLMap http://www.aip.org http://proxysrv1/aip
ProxyPass /apl/ http://apl.aip.org/
ProxyPassReverse /apl/ http://apl.aip.org/
ProxyHTMLURLMap http://apl.aip.org http://proxysrv1/apl
ProxyHTMLEnable On
ProxyHTMLExtended On
ProxyPassReverse /
ProxyHTMLURLMap / /
RequestHeader unset Accept-Encoding
ProxyHTMLEnable On
ProxyHTMLExtended On
ProxyPassreverse /
ProxyHTMLURLMap / /
RequestHeader unset Accept-Encoding
ProxyHTMLLogVerbose On
LogLevel Info
------------------------------------------------------------ ------------------------------------------------------------ ----
And the following modifications to the vhost.conf file:
------------------------------------------------------------ ------------------------------------------------------------ ----
NameVirtualHost *:80
ServerName proxysrv1
DocumentRoot /srv/www/htdocs
HostnameLookups Off
UseCanonicalName On
ServerSignature On
Options Indexes All
AllowOverride None
Order allow,deny
Allow from all
Documentroot /srv/www/htdocs/aip
Servername proxysrv1/aip
HostnameLookups Off
UseCanonicalName On
ServerSignature On
Options Indexes All
AllowOverride None
Order allow,deny
Allow from all
Documentroot /srv/www/htdocs/apl
Servername proxysrv1/apl
HostnameLookups Off
UseCanonicalName On
ServerSignature On
Options Indexes All
AllowOverride None
Order allow,deny
Allow from all
------------------------------------------------------------ -------------------------------
*The mass of issues:*
1) http://proxysrv1/aip/ looks like this: http://imgur.com/n6m0L.png
The page source: http://paste.ubuntu.com/333007/
2) http://proxysrv1/apl/ looks like this: http://proxysrv1/apl/
The page source: http://paste.ubuntu.com/333009/
3) I created a virtual host & proxy at http://proxysrv1/apl/, yet
links like http://apl.aip.org/about/about_the_journal
redirect to http://proxysrv/about/about_the_journal rather than
http://proxysrv/apl/about/about_the_journal
4) All the pages look like crap. I had aip.org working previously, but
only if I set its directory to / (so by going to http://proxysrv1/ you
went to aip.org/),
and had no virtual hosts.
5) That's actually all I can think of. But the pages are pretty darn broken.
*Please explain any fixes in a step-by-step process. Again, I'm new to this.*
--001485f7759e97249e0479bcd064
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
I know this is a long read...but I really need help, and felt the
best way for anyone to help me remotely is to explain the issues in
their entirety.
Hello,
I'm trying to set a reverse proxy, but first, some contex=
t:
My
office is subscribed to few academic journals. These journals verify
the subscription via IP, such that anyone connected to the internet
through our connection can access the journals. However, some
individuals would like to access the journals away from the office as
well. We have a VPN, but it only connects them to our intranet.
Therefore, we want to create a reverse proxy such that the users with
connect to the VPN, then to our intranet, and then to the proxy server,
and then, ultimately, to the journal at hand. This works because the
proxy server will be within our intranet, which they have access to
through the VPN. So it will look like so:
Client --> VPN --> O=
ur Intranet --> Reverse Proxy --> Journal
Note that I'm an=
intern and have had very little experience with Apache and networki=
ng in general (and Linux!)...so please explain things fully.
I have attempted to follow this guide:
g/admin/reverseproxies">http://www.apachetutor.org/admin/rev erseproxies=
I'm running SUSE Linux Enterprise 11, and have installed apache through
zypper. I installed the mod_proxy_html and mod_xml2enc modules via
compiling. They are fully functional. (mod_proxy_html to rewrite
links).
In the examples below I'm attempting to reverse proxy both
and
..org">http://apl.aip.org. So basically want I want to do
is have anything that is http://ai=
p.org/somepage.html to be
http://proxysrv1/aip/somepag=
e.html and anything that is
to be
://proxysrv1/apl/somepage.html">http://proxysrv1/apl/somepag e.html. All=
of the
content on the page must go through the proxy (note: I know that many
of the links lead to other sub-domains, I will include those as
well...but later, I figured I should get these two working first). Pleas=
e do not suggest a different server application like Squid, I'm requ=
ired to use Apache.
So far, I have the following mod=
ifications to the http.conf file:
------------------------------------------------------------ -----------=
-----------------------------------------------------
Include /etc/apach=
e2/vhosts.d/*.conf
ProxyHTMLEnable On
ProxyHTMLExtended On
ProxyHTMLLinks=A0 a href
P=
roxyHTMLLinks=A0 area =A0 href
ProxyHTMLLin=
ks=A0 link =A0 href
ProxyHTMLLinks=A0 img=
src longdesc usemap
ProxyHTMLLinks=
=A0 object =A0 classid codebase data usemap
ProxyHTMLLinks=A0 q cite
Proxy=
HTMLLinks=A0 blockquote =A0 cite
ProxyHTMLLinks=A0 ins =
cite
ProxyHTMLLinks=A0 del =A0=
=A0 cite
ProxyHTMLLinks=A0 form =A0=
action
ProxyHTMLLinks=A0 input =A0=
=A0 src usemap
ProxyHTMLLinks=A0 head =A0 profile
ProxyHTM=
LLinks=A0 base =A0 href
ProxyHTMLLinks=A0 s=
cript =A0 src for
ProxyHTMLLinks=A0 iframe =
=A0 src
ProxyHTMLEvents onclick ondblclick onmouse=
down onmouseup \
=A0 onmouseover onmousemove onmou=
seout onkeypress \
=A0 onkeydo=
wn onkeyup onfocus onblur onload \
=
=A0 onunload onsubmit onreset onselect onchange
ProxyRequests =
Off
ProxyPass /aip/
ProxyPassReverse /aip/
P=
roxyHTMLURLMap
f=3D"http://proxysrv1/aip">http://proxysrv1/aip
ProxyPass /apl/
ref=3D"http://apl.aip.org/">http://apl.aip.org/
ProxyPassReverse /apl/ http://apl.aip.org/<=
/a>
ProxyHTMLURLMap http://apl.aip.org
>
<Loca=
tion /aip/>
=A0 ProxyHTMLEnable On
=A0 ProxyHTML=
Extended On
=A0 ProxyPassReverse /
=A0=
ProxyHTMLURLMap / /
=A0 RequestHeader unset Acc=
ept-Encoding
</Location>
<Location /apl/>
=A0 ProxyHTMLEnable On
=A0 ProxyHTML=
Extended On
=A0 ProxyPassreverse /
=A0=
ProxyHTMLURLMap / /
=A0 RequestHeader unset Acc=
ept-Encoding
</Location>
ProxyHTMLLogVerbose On
LogLevel Info
--------------------------------------------------=
------------------------------------------------------------ --------------<=
br>
And the following modifications to the vhost.conf file:
------------------------------------------------------------ ---------------=
-------------------------------------------------
NameVirtualHost *:80
etica,sans-serif;" size=3D"2"><VirtualHost *:80>
ServerName pr=
oxysrv1
DocumentRoot /srv/www/htdocs
HostnameLookups Off
UseCanonicalName On
ServerSignature On
<Directory "/srv/www/htdocs">=
Options Indexes All
AllowOverride None
Or=
der allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:80>
Documentroot /srv/www/htdocs/aip
> Servername proxysrv1/aip
HostnameLookups Off
=
UseCanonicalName On
ServerSignature On
<Directory=
"/srv/www/htdocs/aip">
Options Indexes All
AllowOverride None
r> Order allow,deny
Allow from all
=
</Directory>
</VirtualHost>
<VirtualHost =
*:80>
Documentroot /srv/www/htdocs/apl
Servername proxysrv1/ap=
l
HostnameLookups Off
UseCanonicalName On
=
ServerSignature On
<Directory "/srv/www/htdocs/apl"=
>
Options Indexes All
AllowOverride None
r> Order allow,deny
Allow from all
=
</Directory>
</VirtualHost>
-------------=
---------------------------------------------------------------------------=
---
The mass =
of issues:
tica,sans-serif;" size=3D"2">1) http://pr=
oxysrv1/aip/ looks like this: ht=
tp://imgur.com/n6m0L.png
The page source: http://paste.u=
buntu.com/333007/
2) http://pr=
oxysrv1/apl/ looks like this: http://=
proxysrv1/apl/
The page source: http://paste.u=
buntu.com/333009/
3) I created a virtual host & proxy at
href=3D"http://proxysrv1/apl/">http://proxysrv1/apl/, yet links like
href=3D"http://apl.aip.org/about/about_the_journal">http://apl.aip.org/abo=
ut/about_the_journal
redirect to <=
font style=3D"font-family: arial,helvetica,sans-serif;" size=3D"2">about/ab=
out_the_journal rather than http://proxysr=
v/apl/
ans-serif;" size=3D"2">about/about_the_journal
4) All the pages look like crap. I had aip.o=
rg working previously, but only if I set its directory to / (so by goin=
g to you went to
f=3D"http://aip.org/">aip.org/),
and had no virtual hosts.
5) That's actually all I can think of.=
But the pages are pretty darn broken.
Please explain any fixes =
in a step-by-step process. Again, I'm new to this.
>
--001485f7759e97249e0479bcd064--
Re: Reverse proxying is problematic
am 02.12.2009 12:13:29 von Peter Schober
* Robert Schenck [2009-12-02 12:03]:
> My office is subscribed to few academic journals. These journals verify the
> subscription via IP, such that anyone connected to the internet through our
> connection can access the journals.
You might also want to look at EZproxy
http://en.wikipedia.org/wiki/EZproxy
(besides getting the publisher to dump IP-addresses for authorization).
-peter
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Reverse proxying is problematic
am 02.12.2009 12:45:30 von Robert Schenck
--001485f6cb7a8d63a10479bd6ad5
Content-Type: text/plain; charset=ISO-8859-1
Peter,
I have to use Apache, I don't have a choice (says my employer).
On Wed, Dec 2, 2009 at 12:13 PM, Peter Schober
wrote:
> * Robert Schenck [2009-12-02 12:03]:
> > My office is subscribed to few academic journals. These journals verify
> the
> > subscription via IP, such that anyone connected to the internet through
> our
> > connection can access the journals.
>
> You might also want to look at EZproxy
> http://en.wikipedia.org/wiki/EZproxy
> (besides getting the publisher to dump IP-addresses for authorization).
> -peter
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--001485f6cb7a8d63a10479bd6ad5
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Peter,
I have to use Apache, I don't have a choice (says my empl=
oyer).
On Wed, Dec 2, 2009 at 12:13 PM, P=
eter Schober
<
c.at" target=3D"_blank">peter.schober@univie.ac.at> wrote:
>
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
* Robert Schenck <
blank">robschenck416@gmail.com> [2009-12-02 12:03]:
> My office is subscribed to few academic journals. These journals =
verify the
> subscription via IP, such that anyone connected to the internet throug=
h our
> connection can access the journals.
You might also want to look at EZproxy
http://e=
n.wikipedia.org/wiki/EZproxy
(besides getting the publisher to dump IP-addresses for authorization).
-peter
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.<=
br>
See <URL:
lank">http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail:
g" target=3D"_blank">users-unsubscribe@httpd.apache.org
=A0 " =A0 from the digest:
@httpd.apache.org" target=3D"_blank">users-digest-unsubscribe@httpd.apache.=
org
For additional commands, e-mail:
org" target=3D"_blank">users-help@httpd.apache.org
--001485f6cb7a8d63a10479bd6ad5--
Re: Reverse proxying is problematic
am 02.12.2009 12:55:59 von Eric Covener
Is mod_proxy_html supposed to be changing those /css/ links into
something else that would actually be handled by your ProxyPass? You
can tell if it is by saving the source when you're actually going
through the proxy.
Also, 404's in your access log would be a big hint about what you're
missing, but due to the rendering issue it's likely the css.
--
Eric Covener
covener@gmail.com
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Reverse proxying is problematic
am 02.12.2009 13:00:29 von Peter Schober
* Robert Schenck [2009-12-02 12:46]:
> I have to use Apache, I don't have a choice (says my employer).
This was just meant as a heads up: depending on the publisher you
might have to rewrite most everything (URLs, HTML content, Cookies,
JavaScript, etc.), and every publisher does things differently.
If your employer really thinks reinventing this poorly is time and
money well spent (vs. using something that is known to just work),
then so be it.
(Not that I actually promote the use of aforementioned product, since
that will only prolong the misuse of IP-addresses for authorization
purposes. SAML is the standard way of accessing publisher resources
online, of course.)
-peter
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Reverse proxying is problematic
am 02.12.2009 13:09:53 von Tom Evans
On Wed, Dec 2, 2009 at 11:02 AM, Robert Schenck wrote:
> I know this is a long read...but I really need help, and felt the best way
> for anyone to help me remotely is to explain the issues in their entirety.
tl;dr
>
> Please explain any fixes in a step-by-step process. Again, I'm new to this.
>
Part of the problem is that you are rewriting HTML. Messy isn't it?
Now do it again, but don't bother with rewriting the HTML.
Remove all the Proxy directives from the main apache server config, it
makes no sense when you then define vhosts later to use.
Define a vhost for each site you wish to proxy. Set it up like so:
ServerName proxyaip
ProxyRequests Off
DocumentRoot /var/empty
Order allow,deny
Allow from all
ProxyPass http://aip.com/
ProxyPassReverse http://aip.com/
Accessing http://proxyaip/ should now be just like accessing
http://aip.com/ . If you want to proxy more sites, define more vhosts.
Cheers
Tom
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Reverse proxying is problematic
am 02.12.2009 13:09:58 von Robert Schenck
--001485f7753246e6410479bdc2ec
Content-Type: text/plain; charset=ISO-8859-1
I disable the mod_proxy_html module and the page still looked the same,
albeit without the little boxes signifying non-existent images.
However, I also looked at the error log for the virtual host, and I found
the following:
http://paste.ubuntu.com/333064/
On Wed, Dec 2, 2009 at 12:55 PM, Eric Covener wrote:
> Is mod_proxy_html supposed to be changing those /css/ links into
> something else that would actually be handled by your ProxyPass? You
> can tell if it is by saving the source when you're actually going
> through the proxy.
>
> Also, 404's in your access log would be a big hint about what you're
> missing, but due to the rendering issue it's likely the css.
>
> --
> Eric Covener
> covener@gmail.com
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--001485f7753246e6410479bdc2ec
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
I disable the mod_proxy_html module and the page still looked the same, alb=
eit without the little boxes signifying non-existent images.
Howeve=
r, I also looked at the error log for the virtual host, and I found the fol=
lowing:
http://paste.ubuntu.com/333=
064/
On Wed, Dec 2, 2009 at 12:55=
PM, Eric Covener
<
" target=3D"_blank">covener@gmail.com> wrote:
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Is mod_proxy_html supposed to be changing those /css/ links into
something else that would actually be handled by your ProxyPass? =A0You
can tell if it is by saving the source when you're actually going
through the proxy.
Also, 404's in your access log would be a big hint about what you'r=
e
missing, but due to the rendering issue it's likely the css.
--
Eric Covener
covener@gmail.com
>
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.<=
br>
See <URL:
lank">http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail:
g" target=3D"_blank">users-unsubscribe@httpd.apache.org
=A0 " =A0 from the digest:
@httpd.apache.org" target=3D"_blank">users-digest-unsubscribe@httpd.apache.=
org
For additional commands, e-mail:
org" target=3D"_blank">users-help@httpd.apache.org
--001485f7753246e6410479bdc2ec--
Re: Reverse proxying is problematic
am 02.12.2009 13:10:22 von Robert Schenck
--001485f276a47a01e80479bdc3f0
Content-Type: text/plain; charset=ISO-8859-1
Peter: Well, I'm an intern so I'm supposed to be "learning"..or something
like.
On Wed, Dec 2, 2009 at 1:00 PM, Peter Schober wrote:
> * Robert Schenck [2009-12-02 12:46]:
> > I have to use Apache, I don't have a choice (says my employer).
>
> This was just meant as a heads up: depending on the publisher you
> might have to rewrite most everything (URLs, HTML content, Cookies,
> JavaScript, etc.), and every publisher does things differently.
> If your employer really thinks reinventing this poorly is time and
> money well spent (vs. using something that is known to just work),
> then so be it.
> (Not that I actually promote the use of aforementioned product, since
> that will only prolong the misuse of IP-addresses for authorization
> purposes. SAML is the standard way of accessing publisher resources
> online, of course.)
> -peter
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--001485f276a47a01e80479bdc3f0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Peter: Well, I'm an intern so I'm supposed to be "learning&quo=
t;..or something like.
On Wed, Dec 2, 200=
9 at 1:00 PM, Peter Schober
<
chober@univie.ac.at" target=3D"_blank">peter.schober@univie.ac.at>=
span> wrote:
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">* Robert Schenck =
<robschenck=
416@gmail.com> [2009-12-02 12:46]:
> I have to use Apache, I don't have a choice (says my employer=
).
This was just meant as a heads up: depending on the publisher you
might have to rewrite most everything (URLs, HTML content, Cookies,
JavaScript, etc.), and every publisher does things differently.
If your employer really thinks reinventing this poorly is time and
money well spent (vs. using something that is known to just work),
then so be it.
(Not that I actually promote the use of aforementioned product, since
that will only prolong the misuse of IP-addresses for authorization
purposes. SAML is the standard way of accessing publisher resources
online, of course.)
-peter
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.<=
br>
See <URL:
lank">http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail:
g" target=3D"_blank">users-unsubscribe@httpd.apache.org
=A0 " =A0 from the digest:
@httpd.apache.org" target=3D"_blank">users-digest-unsubscribe@httpd.apache.=
org
For additional commands, e-mail:
org" target=3D"_blank">users-help@httpd.apache.org
--001485f276a47a01e80479bdc3f0--
Re: Reverse proxying is problematic
am 02.12.2009 13:15:27 von Eric Covener
On 12/2/09, Robert Schenck wrote:
> I disable the mod_proxy_html module and the page still looked the same,
> albeit without the little boxes signifying non-existent images.
>
> However, I also looked at the error log for the virtual host, and I found
> the following:
>
> http://paste.ubuntu.com/333064/
I didn't expect removing it to help, since you don't account for the
/css/ at all. I just couldn't tell if that mod_proxy_html magic was
translating the /css/ into something you handled.
--
Eric Covener
covener@gmail.com
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Reverse proxying is problematic
am 02.12.2009 13:23:36 von Robert Schenck
--001485f5b0c0ccc4230479bdf28d
Content-Type: text/plain; charset=ISO-8859-1
I'm get "Access Forbidden" when trying to access proxysrv1/aip and
proxysrv1/apl
This is my updated vhost file:
http://paste.ubuntu.com/333080/
On Wed, Dec 2, 2009 at 1:09 PM, Tom Evans wrote:
> On Wed, Dec 2, 2009 at 11:02 AM, Robert Schenck
> wrote:
> > I know this is a long read...but I really need help, and felt the best
> way
> > for anyone to help me remotely is to explain the issues in their
> entirety.
>
> tl;dr
>
> >
> > Please explain any fixes in a step-by-step process. Again, I'm new to
> this.
> >
>
> Part of the problem is that you are rewriting HTML. Messy isn't it?
> Now do it again, but don't bother with rewriting the HTML.
>
> Remove all the Proxy directives from the main apache server config, it
> makes no sense when you then define vhosts later to use.
>
> Define a vhost for each site you wish to proxy. Set it up like so:
>
>
> ServerName proxyaip
> ProxyRequests Off
> DocumentRoot /var/empty
>
>
> Order allow,deny
> Allow from all
>
>
>
> ProxyPass http://aip.com/
> ProxyPassReverse http://aip.com/
>
>
>
>
> Accessing http://proxyaip/ should now be just like accessing
> http://aip.com/ . If you want to proxy more sites, define more vhosts.
>
> Cheers
>
> Tom
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--001485f5b0c0ccc4230479bdf28d
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
I'm get "Access Forbidden" when trying to access proxysrv1/ai=
p and proxysrv1/apl
This is my updated vhost file:
"http://paste.ubuntu.com/333080/">http://paste.ubuntu.com/33 3080/
r>
On Wed, Dec 2, 2009 at 1:09 PM, Tom Evans
dir=3D"ltr"><@
//googlemail.com">googlemail.com> wrote:
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Wed, Dec 2, 2009 at 11:02 AM, Robert Schenck <
ef=3D"mailto:robschenck416@gmail.com">robschenck416@gmail.co m> wrote=
:
> I know this is a long read...but I really need help, and felt the best=
way
> for anyone to help me remotely is to explain the issues in their entir=
ety.
tl;dr
>
> Please explain any fixes in a step-by-step process. Again, I'm new=
to this.
>
Part of the problem is that you are rewriting HTML. Messy isn't i=
t?
Now do it again, but don't bother with rewriting the HTML.
Remove all the Proxy directives from the main apache server config, it
makes no sense when you then define vhosts later to use.
Define a vhost for each site you wish to proxy. Set it up like so:
<VirtualHost *:80>
=A0ServerName proxyaip
=A0ProxyRequests Off
=A0DocumentRoot /var/empty
=A0<Directory /var/empty>
=A0 =A0Order allow,deny
=A0 =A0Allow from all
=A0</Directory>
=A0<Location />
=A0 =A0ProxyPass
http://aip.=
com/
=A0 =A0ProxyPassReverse
http=
://aip.com/
=A0</Location>
</VirtualHost>
Accessing
http://proxyaip/=
a> should now be just like accessing
. If you =
want to proxy more sites, define more vhosts.
Cheers
Tom
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.<=
br>
See <URL:
lank">http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail:
g">users-unsubscribe@httpd.apache.org
=A0 " =A0 from the digest:
@httpd.apache.org">users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail:
org">users-help@httpd.apache.org
--001485f5b0c0ccc4230479bdf28d--
Re: Reverse proxying is problematic
am 02.12.2009 13:29:28 von Tom Evans
On Wed, Dec 2, 2009 at 12:23 PM, Robert Schenck wrote:
> I'm get "Access Forbidden" when trying to access proxysrv1/aip and
> proxysrv1/apl
>
> This is my updated vhost file:
>
> http://paste.ubuntu.com/333080/
>
Your ServerName directives are not valid.
When you get an 'Access Forbidden' message, apache will _always_
explain why in the error log. What did it say?
Cheers
Tom
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Reverse proxying is problematic
am 02.12.2009 13:31:46 von Robert Schenck
--0016364990130140470479be10f4
Content-Type: text/plain; charset=ISO-8859-1
Here's a snippet: http://paste.ubuntu.com/333084/
On Wed, Dec 2, 2009 at 1:29 PM, Tom Evans wrote:
> On Wed, Dec 2, 2009 at 12:23 PM, Robert Schenck
> wrote:
> > I'm get "Access Forbidden" when trying to access proxysrv1/aip and
> > proxysrv1/apl
> >
> > This is my updated vhost file:
> >
> > http://paste.ubuntu.com/333080/
> >
>
> Your ServerName directives are not valid.
>
> When you get an 'Access Forbidden' message, apache will _always_
> explain why in the error log. What did it say?
>
> Cheers
>
> Tom
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--0016364990130140470479be10f4
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Here's a snippet: http://pa=
ste.ubuntu.com/333084/
On Wed, Dec 2,=
2009 at 1:29 PM, Tom Evans
<
uk">tevans.uk@><=
/span> wrote:
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
>On Wed, Dec 2, 2009 at 12:23 PM, Robert Schenck <
chenck416@gmail.com">robschenck416@gmail.com> wrote:
> I'm get "Access Forbidden" when trying to access proxysr=
v1/aip and
> proxysrv1/apl
>
> This is my updated vhost file:
>
> http://p=
aste.ubuntu.com/333080/
>
Your ServerName directives are not valid.
When you get an 'Access Forbidden' message, apache will _always_
>
explain why in the error log. What did it say?
Cheers
Tom
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.<=
br>
See <URL:
lank">http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail:
g">users-unsubscribe@httpd.apache.org
=A0 " =A0 from the digest:
@httpd.apache.org">users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail:
org">users-help@httpd.apache.org
--0016364990130140470479be10f4--
Re: Reverse proxying is problematic
am 02.12.2009 15:08:36 von Eric Covener
On Wed, Dec 2, 2009 at 7:31 AM, Robert Schenck wrote:
>> >
>> > http://paste.ubuntu.com/333080/
>> >
The operative message is:
[Wed Dec 02 13:21:43 2009] [error] [client 9.4.69.54] Directory index
forbidden by Options directive: /srv/www/htdocs/apl/
Which would have been nice to include in-line. If you're serving a
mod_autoindex directory index on purpose, allow it with Options
+Indexes in the block that covers whatever this URL maps
to.
if you meant for this to be proxied, it isn't,
if you meant for this to show some default file, see DirectoryIndex.
--
Eric Covener
covener@gmail.com
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Reverse proxying is problematic
am 03.12.2009 00:05:36 von aw
Robert Schenck wrote:
> *I know this is a long read...but I really need help, and felt the best way
> for anyone to help me remotely is to explain the issues in their entirety. *
>
> Hello,
>
> I'm trying to set a reverse proxy, but first, some context:
>
> My office is subscribed to few academic journals. These journals verify the
> subscription via IP, such that anyone connected to the internet through our
> connection can access the journals. However, some individuals would like to
> access the journals away from the office as well.
Hi.
I know that there is already a long list of answers to this, at the
technical level. And you were right to provide some background like you
did above.
Before solving the problem at the technical level, I would /strongly/
recommend getting in touch with the publishers of these journals, and
talk to them about your idea (or your boss' idea) first.
This is just in case one of them would object, and consider that by
doing this you are violating the commercial agreement your office has
with them, and your office thus becomes a target for a copyright
infringement lawsuit.
Publishers, who live from these copyright fees, tend to not joke about
such matters.
Background :
A publisher made a contract with your office, whereby a certain number
of people have access to a certain number of published journal articles,
against a flat fee. That flat fee replaces, under certain
circumstances, a per-article, per-person fee which would normally have
to be paid. The number of people to which this arrangement applies, and
the corresponding fee, is estimated by the supplier on the base of some
reasonable number of users. This number of users is limited,
approximately, by the number of people which the supplier roughly
calculated would be accessing these articles from within your corporate
network, and would thus look like originating from the IP address of
your firewall/proxy.
Your scheme would basically break the assumptions of the supplier, by
potentially providing access to an uncontrolled number of people from
outside of the network for which these assumptions were calculated.
The supplier may get very unhappy about this.
On the other hand, a case such as you describe is not that uncommon, and
I am sure that the suppliers of these articles have other solutions
available, which do not contravene the commercial agreements.
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Reverse proxying is problematic
am 04.12.2009 06:11:42 von Devraj Mukherjee
Also look at mod_substitute and mod_headers
On Wed, Dec 2, 2009 at 10:45 PM, Robert Schenck w=
rote:
> Peter,
>
> I have to use Apache, I don't have a choice (says my employer).
>
> On Wed, Dec 2, 2009 at 12:13 PM, Peter Schober
t>
> wrote:
>>
>> * Robert Schenck [2009-12-02 12:03]:
>> > My office is subscribed to few academic journals. These journals verif=
y
>> > the
>> > subscription via IP, such that anyone connected to the internet throug=
h
>> > our
>> > connection can access the journals.
>>
>> You might also want to look at EZproxy
>> http://en.wikipedia.org/wiki/EZproxy
>> (besides getting the publisher to dump IP-addresses for authorization).
>> -peter
>>
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server Projec=
t.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
--=20
"The secret impresses no-one, the trick you use it for is everything"
- Alfred Borden (The Prestiege)
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org