1

I have an Apache 2.4 server on Windows 2008 that has been working great as a reverse proxy. It is serving content from a LifeRay 6.0 installation running on Glassfish 3.0. Originally, when we implemented an https permanent redirect we could no longer log into LifeRay but that has been solved, I think, at this point. Once we log into Liferay, the connection is secure, but it is still possible to change the https to http and the page will display as an http connection without reverting back to https. Also, the initial connection to the site can use http and the if the user doesn't log in, the site will continue to use an http connection. Again, I though the redirect permanent would force all http traffic to be https.

Apache is providing the SSL connection to users and the proxypass directives connect to LifeRay on an insecure port, which isn't an issue because the internal connection is virtual and not accessible from the Internet. So, I though I had the configuration nailed down on this but I must be missing something because I seem to be able to access the site with http when I thought the permanent redirect would prevent that. Should ProxyPassReverse be https rather than http? Here is the configuration:

TEST SERVER 
<VirtualHost *:443>
ServerName test.myexternalserver.org
 #
 ProxyPreserveHost On
 SetEnv proxy-sendchunked
 SSLEngine on
 ProxyPass / http://192.168.80.196:8080/
 ProxyPassReverse / http://192.168.80.196:8080/

 </VirtualHost>

 <VirtualHost *:80>
 ServerName test.myexternalserver.org
 ProxyPreserveHost On
 SetEnv proxy-sendchunked
 Redirect permanent / https://test.myexternalserver.org/
 ProxyPass / http://192.168.80.196:8080/
 ProxyPassReverse / http://192.168.80.196:8080/

 </VirtualHost>
user9517
  • 115,471
  • 20
  • 215
  • 297
Pete Helgren
  • 213
  • 1
  • 3
  • 13
  • Just to verify, can you provide the output from `apachectl -S`? Is there any particular reason you have the `ProxyPass` configured in the port 80 listener, when you only want application traffic to be handled via port 443? – Shane Madden May 09 '13 at 03:58
  • The 80 listener was there because we had an issue where we couldn't log into Liferay using SSL. After I fixed that issue, I just never removed it and assumed that the Redirect permanent would ensure that the 80 traffic would be redirected to 443. I guess I could try removing that entry on our test server and see what happens. (BTW it look like apachectl isn't a supported command on Windows) – Pete Helgren May 10 '13 at 10:51
  • I was having the same problem and the proxypassmatch is definitely what breaks the rewrite. Just commenting out the Proxypassmatch gets the redirect to work. I'm not sure what you can do if you want to selectively redirect. – Town Websites May 03 '16 at 19:31

1 Answers1

0

From what I've read this morning, the modules are executed in a set order. (The order seems to be determined by the module's code at compile-time.) Based on your question here, it sounds like mod_proxy (for ProxyPass & co.) is executed before mod_alias (for Redirect).

To get the expected behaviour, you can remove all the references to the proxy from your port-80 virtual host. We have may VHosts that look very much like this in production, and they work just fine.

<VirtualHost *:80>
  ServerName test.myexternalserver.org
  Redirect permanent / https://test.myexternalserver.org/
</VirtualHost>
fredden
  • 393
  • 1
  • 10
  • This is a pretty old post and sorry I didn't flag it sooner. This is eventually what I did a few months ago after cleaning up some other spurious entries. Just redirect to https ... – Pete Helgren Feb 20 '14 at 22:35