We have a reverse proxy server in front of an Exchange server and would like to lock down more of the paths. Minimized examples:
Fails (but works for all pages that don't require authentication):
<VirtualHost 192.168.1.81:443>
ServerName autodiscover.example.com
SSLEngine On
SSLProxyEngine On
Include conf/sslcert.conf
RewriteEngine On
RewriteRule (.*) https://exchangecluster.example.com$1 [P,L]
ProxyPassReverse / https://exchangecluster.example.com/
</VirtualHost>
Works:
<VirtualHost 192.168.1.81:443>
ServerName autodiscover.example.com
SSLEngine On
SSLProxyEngine On
Include conf/sslcert.conf
RewriteEngine On
ProxyPass / https://exchangecluster.example.com/
ProxyPassReverse / https://exchangecluster.example.com/
</VirtualHost>
The request makes it through when using the rewrite rule and responds with a 401 and provides options for WWW-Authenticate as expected. With ProxyPass, the user's authentication works, while with RewriteRUle, the user is continuously prompted for authentication, which I assume is related to NTLM.
There are several questions in StackExchange that say that mod_proxy can't handle the NTLM pass-through authentication, but it's working in this case.
The mod-rewrite issue can be worked around by handling paths that don't require authentication, then denying paths that should be blocked, and then doing a global ProxyPass.
Workaround:
<VirtualHost 192.168.1.81:443>
ServerName autodiscover.example.com
SSLEngine On
SSLProxyEngine On
Include conf/sslcert.conf
RewriteEngine On
# Block all requests except the autodiscover URLs
RewriteCond "%{REQUEST_URI}" "!^/autodiscover/autodiscover\.(?:xml|json|svc)$" [NC]
RewriteRule ^ - [F]
ProxyPass / https://exchangecluster.example.com/
ProxyPassReverse / https://exchangecluster.example.com/
</VirtualHost>
A comment on another question suggested using mpm_prefork_module instead of mpm_worker_module. I checked our 00_mpm.conf and we're using worker and it's working with proxypass, so it feels like we're missing something for the mod_rewrite proxy option.
Most questions I've found are about having the reverse proxy authenticate via NTLM. This questions is about passing the authentication to the server and keeping the session intact, not authenticating from Apache (assuming that's not required to make this work).
Are there any settings that need to be enabled to permit the proxying while using mod_rewrite?