Apache redirects behind SSL terminating proxy

apache-2.2httphttpsredirectreverse-proxy

I have the following redirects in the <VirtualHost *:80>:

RewriteRule ^/old-url$  /new-url  [R=301,L]
RewriteRule ^/foo$      /bar      [R=301,L]
...

In front of apache I've got haproxy, listening on 80 and 443, the latter doing SSL termination and:

http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }

My problem with the redirects is that:

http://example.com/foo correctly redirects to http://example.com/bar
https://example.com/foo wrongly redirects to http://example.com/bar

How can I make sure http redirects to http and https to https? Note that I want to avoid having to write the redirect rules twice. How could I use the X-Forwarded-Proto or X-Forwarded-Port to redirect to the correct scheme?

Best Answer

Since the redirect will always contain the absolute URL, you'll need to make your redirections to be a full URL, like this:

RewriteEngine On
RewriteRule "^/foo" "%{HTTP:X-Forwarded-Proto}://%{HTTP_HOST}/bar" [R=301]

For this to work in all cases, you need to be sure that the X-Forwarded-Proto is always correct, so it should contain "http" for simple HTTP connections (I believe haproxy doesn't set it explicitly, so you'll need to do so). Also, the Apache server should receive a Host: header, so if haproxy calls the Apache server by IP, then you need to replace the %{HTTP_HOST} part with the actual hostname.

Related Solutions

How to forward requests to another URL without actually changing the URL in Apache

You need to proxy it with the [P] option. This also will require you to set up mod_proxy.

See http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html and search for "force proxy".

Keep in mind that this will put additional load on your Apache. How much load is dependent upon how much traffic you receive and how quickly the Tomcat server can return traffic back to the Apache.

You could also just simply include /bar in your mod_proxy_ajp rules or mod_jk configuration (JkMount), which would be a far far better solution than using mod_rewrite.

Tomcat – Pretty URLs when using Tomcat behind an Apache proxy

If you're rewriting everything to a common location, you would typically do something like this:

ProxyPass        / http://localhost:8080/foo/
ProxyPassReverse / http://localhost:8080/foo/

If you need different rules for different paths, you would probably use the Proxy flag on a series of RewriteRules:

RewriteRule /bar/(.*) http://localhost:8080/foo/app/bar/$1 [P]
RewriteRule /api/qux/(.*) http://localhost:8080/foo/api/qux/$1 [P]
RewriteRule /quux/(.*) http://localhost:8080/foo/quux/$1 [P]
RewriteRule /(.*) http://localhost:8080/foo/app/$1 [P]

The this will send things to the appropriate place in Tomcat.

The only complication is if the application dynamically generates URLs with fully qualified paths. In this case, you need to either fix the application, or use something like mod_proxy_html to rewrite links in your HTML content.

Best Answer

Related Solutions

How to forward requests to another URL without actually changing the URL in Apache

Tomcat – Pretty URLs when using Tomcat behind an Apache proxy

Related Topic