Rewriting 302 App Server ReDirect URLs with Apache Proxy in the Middle

redirect apache-2.2 ssl mod-proxy

I have an odd setup. It looks like this:

Browser ----------> HTTPs Proxy ------> Apache HTTP -----> Tomcat AJP
           HTTPS                 HTTP                AJP

On the HTTPS proxy (a very dumb proxy), a URL comes in looking like https: //proxy.domain.com/app. It is then tunneled to Apache using HTTP as is http: //apache.domain.com/app (passing in the host proxy.domain.com). Apache then tunnels the request locally using the AJP protocol to ajp: //localhost:8009/app/.

Sometimes the app server wants to redirect the requested path. For example, redirect /app/ to /app/webapp. So, it sends a 302 back to apache redirecting the path - probably something like ajp: //localhost:8009/app/webapp. Apache then rewrites the redirect URL to http: //proxy.domain.com/app/webapp. The HTTPS proxy is dumb, so it does not analyze the redirect and change the http to https.

So, I would like to figure out if I can configure Apache to re-write the 302 redirect URL to send the user to https.

Here is the config I have so far in Apache's https.conf:

ProxyPreserveHost       on
RewriteEngine           on
RewriteRule ^/app$ /app/ [PT]
ProxyPass /app ajp://localhost:8009/app

I tried using ProxyPassReverse, but haven't been able to figure out how to force it to rewrite the 302 redirect URL with https instead of http.

Any thoughts?


Solution 1:

I always wrestle with a problem for hours before giving up and posting a question - only to solve my own problem minutes after posting ...

For those interested, the solution is not to use ProxyPassReverse, but rather to use the Header directive - it' let's you mess with outbound headers. In this case, I can capture the Location response header and run a regex on it to fix the URL's protocol:

ProxyPreserveHost       on
RewriteEngine           on
RewriteRule ^/app$ /app/ [PT]
ProxyPass /app ajp://localhost:8009/app
Header edit Location ^http(\:\/\/proxy.*)$ https$1

Voila!

If apache complains, it might be that mod_headers is not yet enabled: a2enmod headers

Solution 2:

I've found another option.

Based on https://stackoverflow.com/questions/5741210/handling-x-forwarded-proto-in-java-apache-tomcat and Apache ReverseProxyPass redrects to http rather than https it seems some servers recognize the X-Forwarded-Protocol header. One can make Tomcat recognize it by adding:

<Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="x-forwarded-protocol" />

to server.xml.

Related

What's the difference between: Verisign Thawte Geotrust Rapidssl certs?
Freeing up space in my SVN repository
Postgres vs MySQL: Which one is more difficult to scale out?
How can I test the security of my server?
SNMP - So I have a MIB. Now What?
Linux file server for an inexperienced admin
How to build network across buildings?
What is a good and safe way of sharing ssh-keypairs?
Which hard drive corresponds to ata1.00 and ata12.00?
Which tar file format should I use?
Install .NET 4 via command line or PowerShell?
How to start / stop proftpd