I have a web application installed (ClockingIT) that acts based on the used subdomain. As we want to use SSL and do not have a wildcard certificate, this is not very convenient for us 🙂 So I thought about using Apache's mod_proxy and mod_rewrite functionality.
To be more precise, I want the URL Xttps://example.com/cit/ (external) to show the contents of Xttp://test.example.com:3000/ (internal).
Here's my setup:
<VirtualHost *:443>
ServerName example.com
(SSL setup, etc)
SSLProxyEngine On
UseCanonicalName Off
ProxyRequests Off
ProxyPreserveHost Off # or On, makes no difference
RewriteEngine On
RewriteRule ^/cit$ Xttp://test.example.com:3000/ [P,NC]
RewriteRule ^/cit/(.*)$ Xttp://test.example.com:3000/$1 [P,NC]
ProxyPassReverse /cit/ Xttp://test.example.com:3000/
test.example.com is not defined on the DNS server, but it is set in /etc/hosts to map to 127.0.0.1. If I do "w3m Xttp://test.example.com:3000/" on the server, I get the correct web page. However, if I access https://example.com/cit/ on my desktop's browser, I do not get the correct web page. The web app receives the request, however it seems to think the request was for the example.com domain and serves a default page instead of the intended subdomain "test" contents. It seems somehow the proxy does not pass on the test.example.com domain, though according to documentation it should. Instead of RewriteRule I also tried ProxyPass directive, but with the same result.
Is there anything I am missing?
(If relevant, ClockingIT is a Ruby on Rails application served via Mongrel)
P.S.: s/Xttp/http/g – ServerFault did not like me using http colon slash slash more than once in my question 😉
Edit:
After looking at the traffic data using tcpflow, the issue seems to be that Apache sends the following to port 3000:
GET / HTTP/1.1
Host: test.example.com:3000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Cookie: _session_id=99f5f70d684c2186e64c5ebb8f69d574
Via: 1.1 example.com
X-Forwarded-For: 1.2.3.4
X-Forwarded-Host: example.com
X-Forwarded-Server: example.com
Using "telnet localhost 3000" and pasting the above, I get a redirect. If I repeat this and omit the X-Forwarded-Host: line, I get the intended page. So my setup is actually working, but ClockingIT seems to base its decision on the X-Forwarded-Host value. Any way I can prevent this from being included?
Best Answer
Apache 2.4 and later has a directive to remove the X-Forwarded-* headers.
ProxyAddHeaders off
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyaddheaders