Rewriting 302 App Server ReDirect URLs with Apache Proxy in the Middle

I have an odd setup. It looks like this:

Browser ----------> HTTPs Proxy ------> Apache HTTP -----> Tomcat AJP
           HTTPS                 HTTP                AJP

On the HTTPS proxy (a very dumb proxy), a URL comes in looking like https: //proxy.domain.com/app. It is then tunneled to Apache using HTTP as is http: //apache.domain.com/app (passing in the host proxy.domain.com). Apache then tunnels the request locally using the AJP protocol to ajp: //localhost:8009/app/.

Sometimes the app server wants to redirect the requested path. For example, redirect /app/ to /app/webapp. So, it sends a 302 back to apache redirecting the path - probably something like ajp: //localhost:8009/app/webapp. Apache then rewrites the redirect URL to http: //proxy.domain.com/app/webapp. The HTTPS proxy is dumb, so it does not analyze the redirect and change the http to https.

So, I would like to figure out if I can configure Apache to re-write the 302 redirect URL to send the user to https.

Here is the config I have so far in Apache's https.conf:

ProxyPreserveHost       on
RewriteEngine           on
RewriteRule ^/app$ /app/ [PT]
ProxyPass /app ajp://localhost:8009/app

I tried using ProxyPassReverse, but haven't been able to figure out how to force it to rewrite the 302 redirect URL with https instead of http.

Any thoughts?


Solution 1:

I always wrestle with a problem for hours before giving up and posting a question - only to solve my own problem minutes after posting ...

For those interested, the solution is not to use ProxyPassReverse, but rather to use the Header directive - it' let's you mess with outbound headers. In this case, I can capture the Location response header and run a regex on it to fix the URL's protocol:

ProxyPreserveHost       on
RewriteEngine           on
RewriteRule ^/app$ /app/ [PT]
ProxyPass /app ajp://localhost:8009/app
Header edit Location ^http(\:\/\/proxy.*)$ https$1

Voila!

If apache complains, it might be that mod_headers is not yet enabled: a2enmod headers

Solution 2:

I've found another option.

Based on https://stackoverflow.com/questions/5741210/handling-x-forwarded-proto-in-java-apache-tomcat and Apache ReverseProxyPass redrects to http rather than https it seems some servers recognize the X-Forwarded-Protocol header. One can make Tomcat recognize it by adding:

<Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="x-forwarded-protocol" />

to server.xml.