Apache modsec + ssl proxy loop

reverse-proxy apache-2.4 proxypass mod-security

I have a server where we have the following setup:

http://example.com -(REDIRECT)-> https://example.com

Now we would like to add a simple ssl proxy(on the same machine where the A record is also pointing to) that will do the following:

https://otherexample.com -(PROXY)-> https://example.com/a-uri

For some reason we always end up in a loop, this is what the modsecurity log shows:

GET /a-uri/a-uri/a-uri/a-uri/a-uri/a-uri/a-uri/a-uri/a-uri/...
HTTP/1.1
Host: otherexample.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-BE,nl;q=0.9
X-Forwarded-For: CLIENTIP, SERVERIP, SERVERIP, SERVERIP, ...
X-Forwarded-Host: otherexample.com, otherexample.com, otherexample.com, ...
X-Forwarded-Server: otherexample.com, otherexample.com, otherexample.com, ...

Apache configs that i tried:

ProxyPreserveHost On
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off


ProxyPass / https://example.com/a-uri/
ProxyPassReverse / https://example.com/a-uri/

Rewriteengine:

RewriteRule ^/(.*) https://example.com/a-uri/$1 [P,l]

Solution 1:

The RewriteRule is clearly causing the loop, by prepending /a-uri onto the URL of each request, and sending it back to be processed again.

You don't say if that directive is part of the server-wide configuration, but it seems that it probably is. It should be contained within the virtual host for otherexample.com, so it only applies to that host. Like this:

<VirtualHost *:443>
  ServerName otherexample.com
  RewriteEngine on
  RewriteRule ^/(.*) https://example.com/a-uri/$1 [P,L]
</VirtualHost>

Or, maybe clearer:

<VirtualHost *:443>
  ServerName otherexample.com
  ProxyPass        / https://example.com/a-uri/
  ProxyPassReverse / https://example.com/a-uri/
</VirtualHost>

Related

Spikes on External Metric scales HPA when it shouldn't
NFS Write Speed Dropping in case of faulty COMMIT-procedure
How to serve TFTP content via script (PHP-like)?
iptables allow outgoing SSH and HTTPS traffic for established connections,
Postfix does not add to: header for outgoing mail
IRF (stacking) Configuration on HP Comware switches (5130's)
Packet fragmentation from within Kubernetes containers
nginx - ssl session resumption
Setup ceph for storage mailserver?
How do servers in the DMZ of a network communicate with internal servers, i.e. back-end servers that handle data processing?
smartd error [ATA error count increased]
Office 365 Exchange shared contacts