Apache modsec + ssl proxy loop
I have a server where we have the following setup:
http://example.com -(REDIRECT)-> https://example.com
Now we would like to add a simple ssl proxy(on the same machine where the A record is also pointing to) that will do the following:
https://otherexample.com -(PROXY)-> https://example.com/a-uri
For some reason we always end up in a loop, this is what the modsecurity log shows:
GET /a-uri/a-uri/a-uri/a-uri/a-uri/a-uri/a-uri/a-uri/a-uri/...
HTTP/1.1
Host: otherexample.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-BE,nl;q=0.9
X-Forwarded-For: CLIENTIP, SERVERIP, SERVERIP, SERVERIP, ...
X-Forwarded-Host: otherexample.com, otherexample.com, otherexample.com, ...
X-Forwarded-Server: otherexample.com, otherexample.com, otherexample.com, ...
Apache configs that i tried:
ProxyPreserveHost On
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass / https://example.com/a-uri/
ProxyPassReverse / https://example.com/a-uri/
Rewriteengine:
RewriteRule ^/(.*) https://example.com/a-uri/$1 [P,l]
Solution 1:
The RewriteRule
is clearly causing the loop, by prepending /a-uri
onto the URL of each request, and sending it back to be processed again.
You don't say if that directive is part of the server-wide configuration, but it seems that it probably is. It should be contained within the virtual host for otherexample.com, so it only applies to that host. Like this:
<VirtualHost *:443>
ServerName otherexample.com
RewriteEngine on
RewriteRule ^/(.*) https://example.com/a-uri/$1 [P,L]
</VirtualHost>
Or, maybe clearer:
<VirtualHost *:443>
ServerName otherexample.com
ProxyPass / https://example.com/a-uri/
ProxyPassReverse / https://example.com/a-uri/
</VirtualHost>