Apache ProxyPass-ing Multiple Locations

Question

I am currently having issues trying to use Apache to act as a reverse proxy for the front end of our application and our backend API.

For example, if a user hits the URL https://my.app.com/ they should be taken to our front end application served out of S3. If you hit the URL https://my.app.com/api/hello you will receive a JSON response from our backend API.

Ideal behavior is that https://my.app.com/ be reverse proxied to http://s3app.private.

Likewise we will want https://my.app.com/api/hello to be reverse proxied to http://myapi.private/api/hello

Our current apache config looks like this:

Listen 443                                                                                                                                                                        
<VirtualHost *:443>                                                                                                                                                               
    ServerName my.app.com                                                                                                                                               
    ErrorDocument 404 /index.html                                                                                                                                                
    ProxyErrorOverride On                                                                                                                                                        

    RequestHeader set X-Forwarded-Proto https                                                                                                                                     

    SSLEngine on                                                                                                                                                                  
    SSLCertificateFile "/usr/local/apache2/certs/certificate.crt"                                                                                                                 
    SSLCertificateKeyFile "/usr/local/apache2/certs/private.key"                                                                                                                  
    SSLProtocol TLSv1.2                                                                                                                                                           

    ProxyAddHeaders On                                                                                                                                                            

    <Location "/">                                                                                                                                                                
        ProxyPass "http://s3app.private/" retry=0                                                                                                                      
    </Location>                                                                                                                                                                   
    <Location "/api">                                                                                                                                                             
        ProxyPreserveHost On                                                                                                                                                      
        ProxyPass "http://myapi.private/api" retry=0                                                                                                                             
    </Location>                                                                                                                                                                   
</VirtualHost>

The current behavior is that when we hit https://my.app.com/ we see our front end application. However when we hit https://my.app.com/api/hello we get a 503 error from the server.

The Logs of Apache show these lines:

[proxy:error] The timeout specified has expired: AH00957: HTTP: attempt to connect to <internal_ip>:80 (api.private) failed
[proxy_http:error] AH01114: HTTP: failed to make connection to backend: myapi.private, referer: https://my.app.com/
"GET /api/hello HTTP/1.1" 503 299

We've verified that our API is indeed listening through this mechanism by pointing Apache to the API alone like so:

Listen 443                                                                                                                                                                        
<VirtualHost *:443>                                                                                                                                                               
    ServerName my.app.com                                                                                                                                               
    ErrorDocument 404 /index.html                                                                                                                                                
    ProxyErrorOverride On                                                                                                                                                        

    RequestHeader set X-Forwarded-Proto https                                                                                                                                     

    SSLEngine on                                                                                                                                                                  
    SSLCertificateFile "/usr/local/apache2/certs/certificate.crt"                                                                                                                 
    SSLCertificateKeyFile "/usr/local/apache2/certs/private.key"                                                                                                                  
    SSLProtocol TLSv1.2                                                                                                                                                           

    ProxyAddHeaders On                                                                                                                                                            

    <Location "/api">                                                                                                                                                             
        ProxyPreserveHost On                                                                                                                                                      
        ProxyPass "http://myapi.private/api" retry=0                                                                                                                             
    </Location>                                                                                                                                                                   
</VirtualHost>

Doing so allows us to hit https://my.app.com/api/hello and see the expected JSON response. But this is only successful when there is no other location block present.

For what it's worth, our internal DNS is provided by Route53 and our API is hosted in ECS.

Any and all help would be greatly appreciated!

Why is `ProxyPass "http://s3app.private/"` not using HTTP**S**? — Michael - sqlbot, Jan 30 '20 at 18:41
Our Apache instance is doing our ssl termination. So HTTPS behind the Apache instance isn't needed. — Jake Hewitt, Jan 30 '20 at 18:47
My mistake. I misread the *"Ideal behavior is that..."* line, incorrectly seeing https in both places, and based on that didn't understand why the config didn't also use HTTPS. — Michael - sqlbot, Jan 30 '20 at 19:43

score 0 · Answer 1 · answered Jan 30 '20 at 14:46

Using two virtual hosts may help out, but it may not be the most ideal solution.

Listen 443
<VirtualHost *:443>
    ServerName my.app.com 
    ErrorDocument 404 /index.html
    ProxyErrorOverride On

    RequestHeader set X-Forwarded-Proto https

    SSLEngine on
    SSLCertificateFile "/usr/local/apache2/certs/certificate.crt"
    SSLCertificateKeyFile "/usr/local/apache2/certs/private.key"
    SSLProtocol TLSv1.2

    ProxyAddHeaders On

    <Location "/">
        ProxyPass "http://s3app.private/" retry=0
    </Location>
    <Location "/api">
        ProxyPreserveHost On
        ProxyPass "http://localhost:8443/api" retry=0
    </Location>
</VirtualHost>

Listen 8443
<VirtualHost *:8443>
    ServerName localhost
    <Location "/api">
        ProxyPreserveHost On
        ProxyPass "http://myapi.private/api" retry=0
    </Location>
</VirtualHost>

I don't have a technical reason for why this would solve your issue but it may be worth a shot.

Apache ProxyPass-ing Multiple Locations

1 Answers1