Score:0

Apache reverse proxy - URL without / is refused

us flag

I use reverse proxy to show backend server content for a subdomain. The subdomain.mydomain.com (server A) should display content of server with IP 123.123.123.123 port 1111 (server B).

Virtual host of subdomain.mydomain.com (server A):

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName subdomain.mydomain.com

SSLEngine on
SecAuditEngine On
RewriteEngine On
SSLProxyEngine on
ProxyPreserveHost On
LogLevel warn

<Directory />
    Options -Indexes +FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<Location />
    ProxyPass https://123.123.123.123:1111
    ProxyPassReverse https://123.123.123.123:1111
</Location>

ErrorLog /var/log/apache2/error.log

SSLProtocol             all -SSLv2 -SSLv3
SSLHonorCipherOrder     on
SSLVerifyClient none
SSLVerifyDepth 1

SSLCertificateFile /etc/apache2/cert.site/chain_wildcard_site_combined.crt
SSLCertificateKeyFile /etc/apache2/cert.site/key_wildcard_site.key
 
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

</VirtualHost>                                  
</IfModule>

Virtual host of 123.123.123.123:1111 (server B):

<IfModule mod_ssl.c>
    <VirtualHost 123.123.123.123:1111>
        DocumentRoot /srv/www/site/htdocs

SSLEngine on
RewriteEngine On
SSLProxyEngine on
ProxyPreserveHost On
LogLevel warn

<Location "/">
   Require ip 222.222.222.222
</Location>

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

<Directory /srv/www/site/htdocs>
    Options -Indexes +FollowSymLinks +MultiViews
    DirectoryIndex index.php
    AllowOverride None
    Require all granted
</Directory>

ErrorLog /srv/www/site/log/error.log
CustomLog /srv/www/site/log/access.log combined
CustomLog /srv/www/site/log/ssl_request_log \
            "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

SSLProtocol             all -SSLv2 -SSLv3
SSLHonorCipherOrder     on
SSLVerifyClient none
SSLVerifyDepth 1

SSLCertificateFile /etc/apache2/cert.site/chain_wildcard_site_combined.crt
SSLCertificateKeyFile /etc/apache2/cert.site/key_wildcard_site.key

        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

    </VirtualHost>
</IfModule>

If I load URL: https://subdomain.mydomain.com/dir/

it loads successfully.

If I load URL (without trailing slash): https://subdomain.mydomain.com/dir

it results error page: ERR_CONNECTION_REFUSED.

EDIT1:

I execute command:

curl -IL https://subdomain.mydomain.com/dir

and I get this result:

HTTP/1.1 301 Moved Permanently
Date: Mon, 23 Aug 2021 13:45:13 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains
Strict-Transport-Security: max-age=15768000; includeSubDomains
Location: https://subdomain.mydomain.com:1111/dir/
Content-Type: text/html; charset=iso-8859-1

curl: (7) Failed to connect to subdomain.mydomain.com port 1111: Connection refused

EDIT2:

I added trailing slash

<Location />
    ProxyPass https://123.123.123.123:1111/
    ProxyPassReverse https://123.123.123.123:1111/
</Location>

But I still get the Connection refused error.

Any idea why is it resulting error, when trailing slash is missing?

Thanks!

Chris avatar
it flag
I would try adding the trailing slash to the `ProxyPass`/`ProxyPassReverse` directives in your location block. From what I see in doc and own config, you can write `ProxyPass "/" "something_with_trailing_slash/"` or `ProxyPass "/url" "something_without_trailing_slash"`, while your location block is equivalent to `ProxyPass "/" "something_without_trailing_slash`
klor avatar
us flag
Earlier I used the `ProxyPass "/" "something_with_trailing_slash/"`with the same wrong result.
mforsetti avatar
tz flag
do both `curl -IL https://subdomain.mydomain.com/dir` and `curl -IL https://subdomain.mydomain.com/dir/` and edit the question to include the output.
klor avatar
us flag
@mforsetti added curl result into OP
Score:1
cm flag

Review your firewall settings and your server logs on server B and verify that server A is able to reach server B with the correct IP address as sender (I'm assuming that's 222.222.222.222). Your listings for server B are also missing a Listen 1111 https directive.

edit The backend server is forcing a redirect:

HTTP/1.1 301 Moved Permanently
Location: https://subdomain.mydomain.com:1111/dir/

That the HSTS header is present and the absence of any rewrite rules makes me assume that it's the application that's issuing the redirect.

Verify which it is.

You stated that with the added '/' things work fine. Forcing the trailing '/' with mod_rewrite on the frontend server seems like an acceptable solution to me.

klor avatar
us flag
I missed to mention, that Listen 1111, 443 is set separately in ports.conf. I don't think it is a firewall problem, as it works for /dir/ but not works for /dir
cm flag
Find out what triggers the redirect you experience according to `curl`'s output. It's very likely that it's the backend server (non-obvious from the config fragments you posted) or the application itself that's forcing it. Enforcing a trailing `/` with rewrite rules could be an acceptable workaround.
Score:0
no flag

Looks like this was already answered here. Still to answer your question,

You are missing a forward-slash at the end of both the ProxyPass and ProxyPassReverse directives.

Read this if you need more details on why this is the case.

klor avatar
us flag
I tested your suggestion, but I still get the error. See the modified OP.
Score:0
fk flag

Your reverse proxy is not (probably should not be) listening on port 1111.

Yet, your 123 server is redirecting to port 1111 (assumption based on configs you posted).

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.