{"id":6018,"date":"2016-07-13T21:13:29","date_gmt":"2016-07-13T13:13:29","guid":{"rendered":"http:\/\/rmohan.com\/?p=6018"},"modified":"2016-07-13T21:17:41","modified_gmt":"2016-07-13T13:17:41","slug":"proxying-from-apache-https-to-some-backend-server-that-only-speaks-http","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6018","title":{"rendered":"Proxying from Apache HTTPS to some backend server that only speaks HTTP"},"content":{"rendered":"<p><strong>Proxying from Apache HTTPS to some backend server that only speaks HTTP<\/strong><\/p>\n<p>Here\u2019s a use case: You want to run an application server that only speaks HTTP, but securely, over HTTPS. The problem is that the application server won\u2019t know that it\u2019s being accessed via HTTPS, so any URLs and redirects it generates might point to HTTP. Here\u2019s an example virtual host entry that takes care of that by rewriting the header.<\/p>\n<p>You need Apache, mod_proxy and mod_headers.<\/p>\n<p><VirtualHost *:443><br \/>\n  ServerName foo.bar.example.com<\/p>\n<p>  SSLEngine on<br \/>\n  SSLCertificateFile    \/etc\/ssl\/certs\/ssl-cert-snakeoil.pem<br \/>\n  SSLCertificateKeyFile \/etc\/ssl\/private\/ssl-cert-snakeoil.key<br \/>\n  Header edit Location &#8220;^http:(.*)$&#8221; &#8220;https:$1&#8221;<\/p>\n<p>  PassengerEnabled off<br \/>\n  ProxyPass \/ http:\/\/127.0.0.1:3000\/<br \/>\n  ProxyPassReverse \/ http:\/\/127.0.0.1:3000\/<\/p>\n<p>  DocumentRoot \/var\/www\/foo\/bar<br \/>\n  <Directory \/var\/www\/foo\/bar><br \/>\n    AllowOverride none<br \/>\n    Options -MultiViews<br \/>\n  <\/Directory><br \/>\n<\/VirtualHost><br \/>\nThe magical line is the one with \u201cHeader edit\u2026\u201d. This makes sure any request your app server would have sent to HTTP are rewritten to HTTPS.<\/p>\n<p>Header edit Location ^http:\/\/(yourdomain.com\/sslpath.*) https:\/\/$1<\/p>\n<p>httpd.conf<\/p>\n<p>LoadModule ext_filter_module modules\/mod_ext_filter.so<\/p>\n<p>RewriteEngine on<\/p>\n<p>#1<br \/>\nRewriteCond %{REQUEST_URI} ^\/gw\/192\\.168\\.0\\.[0-9]{1,3}\/<br \/>\nRewriteRule ^\/gw\/(.*) \/gw\/http:\/\/$1 [R,NS,L]<\/p>\n<p>#2<br \/>\nRewriteCond %{REQUEST_FILENAME} !\/\\.ht.* [NC]<br \/>\nRewriteCond %{REQUEST_URI} ^\/gw\/https?[:\/]+192\\.168\\.0\\.[0-9]{1,3}\/<br \/>\nRewriteRule ^\/gw\/(https?)[:\/]+(.*) $1:\/\/$2 [P,L,NS]<\/p>\n<p>#3<br \/>\nHeader edit Location ^(https?)[:\/]+(.*) \/gw\/$1:\/\/$2<\/p>\n<p>#4<br \/>\nExtFilterDefine fixurl mode=output cmd=&#8221;\/bin\/bash \/var\/www\/bin\/url_rewrite.sh&#8221;<br \/>\nSetOutputFilter fixurl<\/p>\n<p>#!\/bin\/bash<\/p>\n<p>host=$(echo ${DOCUMENT_URI} | sed -e &#8216;s|^\/gw\/\\(https\\?\\)[:\/]\\+\\([^\/]*\\)\/.*|\/gw\/\\1:\/\/\\2\/|g&#8217;)<\/p>\n<p>\/bin\/sed \\<br \/>\n    -e &#8220;s%\\(href\\|src\\|action\\)=\\&#8221;\/\\([^\\&#8221; <>\\n]*\\)\\&#8221;%\\1=\\&#8221;${host}\\2\\&#8221;%g&#8221; \\<br \/>\n    -e &#8220;s%\\(url: *[&#8216;\\&#8221;]\\)\/\\([^&#8217;\\&#8221;]*[&#8216;\\&#8221;]\\)%\\1${host}\\2%g&#8221; \\<br \/>\n    -e &#8220;s%\\&#8221;\\(https\\?\\)[:\/]\\+\\(192\\.168\\.0\\.[0-9]\\{1,3\\}\\)\/%\\&#8221;http:\/\/${HTTP_HOST}\/gw\/\\1:\/\/\\2\/%g&#8221; \\<br \/>\n    -e &#8220;s%localhost\/%${HTTP_HOST}${host}%g&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Proxying from Apache HTTPS to some backend server that only speaks HTTP<\/p>\n<p>Here\u2019s a use case: You want to run an application server that only speaks HTTP, but securely, over HTTPS. The problem is that the application server won\u2019t know that it\u2019s being accessed via HTTPS, so any URLs and redirects it generates might point [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6018"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6018"}],"version-history":[{"count":3,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6018\/revisions"}],"predecessor-version":[{"id":6021,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6018\/revisions\/6021"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6018"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6018"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6018"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}