apache fails to get remote host name

Question

I have...

<VirtualHost example.com:80>
    ServerAdmin webmaster@localhost
    ServerName example.com

    Redirect permanent / https://example.com/
</VirtualHost>

which immediately goes to...

<IfModule mod_ssl.c>
    <VirtualHost example.com:443>

        ServerAdmin webmaster@localhost
        ServerName example.com
        ServerAlias example.com

        DocumentRoot /home/klyde/ror/exampledev/public

        SSLCertificateFile   /etc/apache2/ssl/certs/123abc.crt
        SSLCertificateChainFile /etc/apache2/ssl/certs/gd_bundle-g2-g1.crt
        SSLCertificateKeyFile /etc/apache2/ssl/private/examplekey.key

        BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

        SSLEngine on
        SSLProxyEngine On
        ProxyRequests On

        <Proxy *>
            AddDefaultCharset off
            #Options Indexes FollowSymLinks
            AllowOverride none
            <RequireAny>
                #<RequireAll>
                #   Require all granted
                #</RequireAll>
                <RequireAll>
                    Require host example.com
                </RequireAll>
                <RequireAll>
                    Require local
                    # Require ip 127.0.0.1
                </RequireAll>
            </RequireAny>
        </Proxy>

        ProxyPassReverseCookiePath / /
        ProxyPass /errors/ !

        ProxyPass /websockets ws://127.0.0.1:8675/
        ProxyPassReverse /websockets ws://127.0.0.1:8675/

        ProxyPass / ajp://localhost:8009/
        ProxyPassReverse / ajp://localhost:8009/

    </VirtualHost>
</IfModule>

When I enable...

Require all granted

all works ok. But the site is overrun by phishing. I would like...

Require host example.com

But this results in a log error...

access check of 'example.com' to / failed, reason: unable to get the remote host name

This configuration I've chosen because I want to stop SSL in Apache and ajp to Torquebox. This works fine, except when attempting to secure the site. Of course, Apache with Torquebox may not be entirely desirable, advisable, etc. Suggestions to the contrary are welcome.

Main question - Why the 'remote host name' error. Any ideas?

The 'name resolution'...I can't say that it does. All I know is that it all works with 'Require all granted'. But then, no security. — forresttales, Oct 04 '15 at 20:33

BillThor · Answer 1 · 2015-10-04T21:48:02.953

2

Determining the remote host by name only works if the remote IP address has a PTR records, Not all IP addresses do. If you can, use IP addresses in the Require statement.

You can also use basic auth (preferably over https) to restrict access.

You should not need to define a proxy if all you want is proxypass functionality.

If you need to proxy, try restricting your proxy to your domain.

<Proxy http://www.example.com/*>
    ....
</Proxy>

edited Oct 04 '15 at 21:48

answered Oct 04 '15 at 21:40

BillThor

27,737
3
37
69

Using full address in with "Require if xx.xxx.xx.xxx" - immediate success. Also, completely removing the forward proxy, , and it's directives, works. I'll keep it this way. In both scenarios, Chrome still gives the Phishing warning, although no further evidence of it. Firefox now gives NO warning. No errors, just blocked attempts are logged. Suspect this is normal. I'd vote you up, if i had enough points. – forresttales Oct 04 '15 at 23:12

score 0 · Answer 2 · answered Nov 18 '20 at 10:02

0

I think you can use

Require ip 127.0.0.1

with IP from your server instad of the local ip

answered Nov 18 '20 at 10:02

GerA

1
1

score 0 · Answer 3 · answered Feb 14 '21 at 18:16

0

If you just want to open things up and allow requests coming from any IP you can use:

Require all granted

You can look here for more info: https://serverfault.com/a/887196/468080

answered Feb 14 '21 at 18:16

Andy Weinstein

141
3

apache fails to get remote host name

3 Answers3