Join Log in
Score:1
pierostz avatar Server

Apache reverse proxy not working and generates a 404 error

bl flag
pierostz

I have an installation of Shiboleth that runs on Jetty 9. Through Apache I have a reverse proxy to the 8080 port of Jetty which serves the Shiboleth instance.

When I curl http://localhost:8080/idp/shibboleth in the console, the instance responce is generated correctly.

However when I do the same on my browser https://idp.example.com/idp/shibboleth I get a 404 error.

This is some indication that the reverse proxy is not working correctly?

This is my apache conf

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

<VirtualHost *:80>
ServerName "idp.spectrum.com.cy"
Redirect permanent "/" "https://idp.spectrum.com.cy/"
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
 ServerName idp.spectrum.com.cy:443
 ServerAdmin [email protected]
 # Debian
 CustomLog /var/log/apache2/idp.spectrum.com.cy.log combined
 ErrorLog /var/log/apache2/idp.spectrum.com.cy.org-error.log
 # Centos
 #CustomLog /var/log/httpd/idp.example.org.log combined
 #ErrorLog /var/log/httpd/idp.example.org-error.log
 
 DocumentRoot /var/www/html/idp.spectrum.com.cy
 
 SSLEngine On
 SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

 SSLHonorCipherOrder on
 
 # Disallow embedding your IdP's login page within an iframe and
 # Enable HTTP Strict Transport Security with a 2 year duration
 <IfModule headers_module>
    Header set X-Frame-Options DENY
    Header set Strict-Transport-Security "max-age=63072000 ; includeSubDomains ; preload"
 </IfModule>
 
 # Debian
 SSLCertificateFile /etc/ssl/certs/idp.spectrum.com.cy.crt
 SSLCertificateKeyFile /etc/ssl/private/idp.spectrum.com.cy.key

 # ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)
 #SSLCACertificateFile /etc/ssl/certs/ACME-CA.pem
 #SSLCACertificateFile /etc/ssl/certs/GEANT_OV_RSA_CA_4.pem


 # Centos
 #SSLCertificateFile /etc/pki/tls/certs/idp.example.org.crt
 #SSLCertificateKeyFile /etc/pki/tls/private/idp.example.org.key

 # ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)
 #SSLCACertificateFile /etc/pki/tls/certs/ACME-CA.pem
 #SSLCACertificateFile /etc/pki/tls/certs/GEANT_OV_RSA_CA_4.pem

 <IfModule mod_proxy.c>
    ProxyPreserveHost On
    RequestHeader set X-Forwarded-Proto "https"
    ProxyPass /idp http://localhost:8080/idp/ retry=5
    ProxyPassReverse /idp http://localhost:8080/idp/ retry=5

    <Location /idp>
       Require all granted
    </Location>
 </IfModule>
</VirtualHost>
</IfModule>

<VirtualHost 127.0.0.1:80>
  ProxyPass /idp  http://localhost:8080/idp/ retry=5
  ProxyPassReverse /idp http://localhost:8080/idp/ retry=5
  <Location /idp>
   Require all granted
  </Location>
</VirtualHost>

I have simplified my conf file in order to remove https. The configuration below works fine but with http only. I will investigate why the https configuration generates 404 error.

<VirtualHost *:80>
ServerName idp.spectrum.com.cy

 <IfModule mod_proxy.c>
    ProxyPreserveHost On
    ProxyPass /idp/ http://localhost:8080/idp/ retry=5
    ProxyPassReverse /idp/ http://localhost:8080/idp/ retry=5

    <Location /idp>
       Require all granted
    </Location>
 </IfModule>

# This virtualhost is only here to handle administrative commands 
for Shibboleth, executed from localhost
<VirtualHost 127.0.0.1:80>
  ProxyPass /idp  http://localhost:8080/idp/ retry=5
  ProxyPassReverse /idp http://localhost:8080/idp/ retry=5
  <Location /idp>
    Require all granted
  </Location>
</VirtualHost>
1504
2 + 6
djdomi avatar
za flag
djdomi
Im unsure, but my stomach thinks, that there is no defination for /idp to anywhere. you can take a look on https://serverfault.com/questions/429122/apache-virtualhost-proxy-with-a-subdirectory for a hint to solve your issue
0
Reply
pierostz avatar
bl flag
pierostz
@djdomi when I curl to http//localhost:8080/idp I still get an answer from the shibboleth instance. So I guess this is not the case...?
0
Reply
djdomi avatar
za flag
djdomi
Yes `<VirtualHost 127.0.0.1:80>` has an entry for it, but not `<VirtualHost _default_:443>` or lets explain in other words: each VirtualHost is like a Standalone apache installation
0
Reply
pierostz avatar
bl flag
pierostz
If we are on the same page. There are three Virtual Hosts on the above. One is for port 80 that redirects to https, one for https on port 443 (the one I think you say is missing) and one for the localhost on port 80.
0
Reply
in flag
Gerald Schneider
Is mod_proxy enabled?
0
Reply
in flag
Gerald Schneider
You might want to remove all those IfModule directives, they have their uses but most often they hide problems instead of preventing them.
3
Reply
Score:2
avatar Server
cn flag
chutz

Try removing the port from the ServerName directive. I.e.,

ServerName idp.spectrum.com.cy

Per https://httpd.apache.org/docs/2.4/mod/core.html#servername the port is optional and allowed, but the following mention in the documentation sounds like it may be the reason why that VirtualHost configuration is not picking up (browsers do not sent the port number in the Host: header).

If you are using name-based virtual hosts, the ServerName inside a <VirtualHost> section specifies what hostname must appear in the request's Host: header to match this virtual host.

0 + 1
pierostz avatar
bl flag
pierostz
I have tried the ServerName with and without the port wihtout any difference. I have ommited the port based on the docs your provided. Thanks for the input.
0
Reply
Score:1
avatar Server
cm flag
fuero

It's supposed to be

ProxyPass /idp/ http://localhost:8080/idp/

Note the trailing slash in the ProxyPass command's first argument. Always align the trailing slashes in both arguments.

My VirtualHost declarations are pretty basic and only contain the bare minimum to work:

<VirtualHost *:80>
    DocumentRoot /var/www/html

    ServerName idp.example.com
    ServerAlias idp
    ErrorLog  logs/error_log
    CustomLog logs/access_log    
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot /var/www/html

    SSLEngine on
    SSLProxyEngine on
    SSLCertificateKeyFile /etc/pki/tls/private/idp.example.com.key
    SSLCertificateFile /etc/pki/tls/certs/idp.example.com.crt
    SSLCertificateChainFile /etc/pki/tls/certs/chain.crt

    ServerName idp.example.com
    ServerAlias idp
    ErrorLog  logs/ssl-error_log
    CustomLog logs/ssl-access_log combined
</VirtualHost>

Here's my IDP's /etc/httpd/conf.d/idp.conf:

ProxyPass /idp/ http://localhost:8080/idp/ retry=5
ProxyPassReverse /idp/ http://localhost:8080/idp/

<Proxy http://localhost:8080>
       Require all granted
       RequestHeader set X-Forwarded-Proto https
       RequestHeader set X-Proxied-Https on
       RequestHeader set Proxy-ssl-id %{SSL_SESSION_ID}s
</Proxy>
0 + 1
pierostz avatar
bl flag
pierostz
Thanks so much for this. The trailing slash was missing. That simple. I had some more issues but without the trailing slash I would not resolve them.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.