Apache 2.4 Proxy for External, Redirect for Internal

Question

I am attempting to setup a reverse proxy to allow only a few select ip ranges to proxy to an internal host, while I would like anyone else not within the ip ranges to redirect to our internal named host. In this setup, the webservice will work while anyone who is not VPN'd into our network will not be capable of navigating to the internal resource. I have been attempting to get this to work without luck, my partial config is currently as follows:

       ProxyRequests Off
    <Proxy *>
            Allow from all
    </Proxy>
    <Location />
            Allow From xxx.xxx.xxx.xxx/24 1xxx.xxx.xxx.xxx/23
            Deny From All
            ProxyPass http://server.local.corp:8000/
            ProxyPassReverse http://server.local.corp:8000/
    </Location>

This config appears to work well for blocking other ip ranges from being able to proxy, however I am unclear how I can add a redirect statement for anyone else.

Edit Taking advice from the first answer my code now looks like:

<If "%{REMOTE_ADDR} -ipmatch 'xxx.xxx.xxx.xxx/24'">
  ProxyPass / http://server.local.corp:8000/
  ProxyPassReverse / http://server.local.corp:8000/
</If>

And apache throws the following error on restart:

ProxyPass cannot occur within <If> section
Action 'configtest' failed.
The Apache error log may have more information.

I'm facing the same error regarding ProxyPass and the section — Jordan Sitkin, Nov 26 '14 at 05:42

score 1 · Answer 1 · edited Feb 24 '18 at 19:31

The following should work if you are allowed to use subdomains, only should I can't test it at the moment ...

However the logic should work.

Use the to redirect XTERNs to a sub domain eg. xtern.example.com and resolve the things with virtual hosts!

<VirtualHost *:80>
    ServerName example.com

    <If "%{REMOTE_ADDR} !-ipmatch 'xxx.xxx.xxx.xxx/24'">
        Redirect "/" "http://xtern.example.com"
    </If>


    ProxyPass http://server.local.corp:8000/
    ProxyPassReverse http://server.local.corp:8000/
</VirtualHost>

<VirtualHost *:80>
    ServerName xtern.example.com

    ProxyPass http://server.xtern.corp:8000/
    ProxyPassReverse http://server.xtern.corp:8000/
</VirtualHost>

alxgomz · Answer 2 · 2014-06-17T21:31:34.227

0

You need to wrap you ProxyPass and Redirect directives into the newly introduced If statement: <If expression> ProxyPass… </If>"

Take a look at http://httpd.apache.org/docs/2.4/mod/core.html#if to find out more about the If directive, and http://httpd.apache.org/docs/2.4/expr.html to learn how to write an Apache expression (-ipmatch seems to be what you're looking for)

Note that this is only valid in Apache httpd 2.4.

edited Jun 17 '14 at 21:31

answered Jun 17 '14 at 21:24

alxgomz

1,630
1
11
14

3

Apache 2.4 does not allow ProxyPass within section – Javier Méndez Feb 10 '17 at 20:49
1

hmmm.. I can't remember wether or not I tested it, but this is weird because the doc clearly states that "Only directives that support the directory context can be used within this configuration section." which is the case of "ProxyPass"... – alxgomz Feb 14 '17 at 13:14
I did test it :) - and it shows that error (edit: using Apache/2.4.25 (Unix)) – Javier Méndez Feb 14 '17 at 18:56
ref: [Apache bug #54965](https://bz.apache.org/bugzilla/show_bug.cgi?id=54965) – Jesse Glick Apr 25 '18 at 00:50

Apache 2.4 Proxy for External, Redirect for Internal

2 Answers2