Rewriting 302 App Server ReDirect URLs with Apache Proxy in the Middle

Question

I have an odd setup. It looks like this:

Browser ----------> HTTPs Proxy ------> Apache HTTP -----> Tomcat AJP
           HTTPS                 HTTP                AJP

On the HTTPS proxy (a very dumb proxy), a URL comes in looking like https: //proxy.domain.com/app. It is then tunneled to Apache using HTTP as is http: //apache.domain.com/app (passing in the host proxy.domain.com). Apache then tunnels the request locally using the AJP protocol to ajp: //localhost:8009/app/.

Sometimes the app server wants to redirect the requested path. For example, redirect /app/ to /app/webapp. So, it sends a 302 back to apache redirecting the path - probably something like ajp: //localhost:8009/app/webapp. Apache then rewrites the redirect URL to http: //proxy.domain.com/app/webapp. The HTTPS proxy is dumb, so it does not analyze the redirect and change the http to https.

So, I would like to figure out if I can configure Apache to re-write the 302 redirect URL to send the user to https.

Here is the config I have so far in Apache's https.conf:

ProxyPreserveHost       on
RewriteEngine           on
RewriteRule ^/app$ /app/ [PT]
ProxyPass /app ajp://localhost:8009/app

I tried using ProxyPassReverse, but haven't been able to figure out how to force it to rewrite the 302 redirect URL with https instead of http.

Any thoughts?

score 9 · Answer 1 · edited Mar 08 '11 at 20:36

9

I always wrestle with a problem for hours before giving up and posting a question - only to solve my own problem minutes after posting ...

For those interested, the solution is not to use ProxyPassReverse, but rather to use the Header directive - it' let's you mess with outbound headers. In this case, I can capture the Location response header and run a regex on it to fix the URL's protocol:

ProxyPreserveHost       on
RewriteEngine           on
RewriteRule ^/app$ /app/ [PT]
ProxyPass /app ajp://localhost:8009/app
Header edit Location ^http(\:\/\/proxy.*)$ https$1

Voila!

If apache complains, it might be that mod_headers is not yet enabled: a2enmod headers

edited Mar 08 '11 at 20:36

Hank

379
3
15

answered Sep 14 '10 at 23:22

George

171
1
1
4

No need to edit the headers, go for @wondy solution to make tomcat know about the LB/RProxy protocol through RempteIpValve – Muhammad Hewedy May 29 '15 at 13:21
I used this solution. I much prefer doing some Apache config rather than making tomcat do what I want! – froderik Jun 08 '16 at 14:28

score 3 · Answer 2 · edited May 23 '17 at 12:41

3

I've found another option.

Based on https://stackoverflow.com/questions/5741210/handling-x-forwarded-proto-in-java-apache-tomcat and Apache ReverseProxyPass redrects to http rather than https it seems some servers recognize the X-Forwarded-Protocol header. One can make Tomcat recognize it by adding:

<Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="x-forwarded-protocol" />

to server.xml.

edited May 23 '17 at 12:41

Community

1

answered Mar 30 '13 at 19:54

wodny

133
3

1

This is the best solution, hence tomcat is designed to work this way – Muhammad Hewedy May 29 '15 at 13:21
I think you mean `X-Forwarded-Proto`. – Michael Hampton Oct 02 '15 at 04:32
I am quite sure I have used "Protocol" and it worked. But it was March 2013. I can see both versions have been used for some time. As I can see in the meantime a new RFC 7239 has been written (June 2014). Probably the "Proto" version has won and is the standard now. – wodny Oct 02 '15 at 08:37

Rewriting 302 App Server ReDirect URLs with Apache Proxy in the Middle

2 Answers2